-
Bug
-
Resolution: Fixed
-
High
-
4.10.1
-
None
-
Severity 2 - Major
-
1
-
Certain permissions relating to Default Reviewers could be circumvented by authenticated users.
[BSERV-9392] Permission issue when configuring Default Reviewers
| Workflow | Original: Stash Workflow - Restricted [ 1630056 ] | New: JAC Bug Workflow v3 [ 3136285 ] |
| Symptom Severity | Original: Major [ 14431 ] | New: Severity 2 - Major [ 15831 ] |
| Security | Original: Reporter and Atlassian Staff [ 10751 ] |
| Description | Original: Certain permissions relating to Default Reviewers could be circumvented by logged-in users. | New: Certain permissions relating to Default Reviewers could be circumvented by authenticated users. |
| Description | Original: Logged in u | New: Certain permissions relating to Default Reviewers could be circumvented by logged-in users. |
| Resolution | New: Fixed [ 1 ] | |
| Status | Original: Needs Triage [ 10030 ] | New: Closed [ 6 ] |
| Labels | Original: bplump-radar cvss-medium expedite security | New: cvss-medium security |
| Summary | Original: Non-admins can access Default Reviewers Page | New: Permission issue when configuring Default Reviewers |
| Description |
Original:
h3. Summary
Anyone with permissions to a repository can access the Default Reviewer admin page if they know the URL. [http://localhost:7990/plugins/servlet/default-reviewers/projects/$project/repos/$repo] h3. Steps to Reproduce # Login as a non-admin to Bitbucket and go to the URL above. # Add or remove default reviewers h3. Expected Results Only repository admins should be able to access this page. h3. Actual Results Anyone *with permissions to a repository* can access and modify default reviewers. |
New: Logged in u |
| Link | New: This issue is cloned from BSERV-9316 [ BSERV-9316 ] |