Uploaded image for project: 'Atlassian Cloud'
  1. Atlassian Cloud
  2. CLOUD-11166

API call exposes user information hence making site vulnerable

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Timed out
    • Icon: Low Low
    • JIRA
    • None

      Issue Summary

       

      /rest/api/2/user/picker API call exposes user information to the external users despite the Browse user and group permissions being set correctly.

      Steps to Reproduce

      1. For any test site, try accessing this  https:// {site}.atlassian.net/rest/api/2/user/picker?query=xxxuser, it will show user details 
      1. I was able to replicate the same on my site https://dexter1234.atlassian.net/rest/api/2/user/picker?query=mgodhwani

      Expected Results

        If the global permission to see users or groups are restricted, no one should be able to retrieve user information

      Actual Results

      User information is exposed.

      Workaround

      No workaround

        1. image-2021-03-25-09-35-26-134.png
          29 kB
          Matthew 𝓭𝓻𝓴𝓷𝓸 Knox

              Unassigned Unassigned
              mgodhwani@atlassian.com Madhuri Godhwani (Inactive)
              Votes:
              1 Vote for this issue
              Watchers:
              5 Start watching this issue

                Created:
                Updated:
                Resolved: