[CONFSERVER-25350] '/users/userpicker.action' exposes users loginids and full names in instance with anonymous access enabled - Create and track feature requests for Atlassian products.

Type: Bug
Resolution: Fixed
Priority: Highest
Fix Version/s: 4.3
Affects Version/s: 4.1.7
Component/s: None
Labels:

CVSS Score:
4.3
Bug Fix Policy:
View Atlassian Server bug fix policy

LDAP directory users and groups exposed via the /users/userpicker.action.

There should be an option to restrict this to authenticated users only and perhaps this should be the default behavior.

The second exposed function that is part of this vulnerability is /spaces/opengrouppicker.action which can be accessed by anonymous users for internal directory browsing.

is related to

CONFSERVER-25322 The vulnerability exists in the standalone and also in the online demonstration enviroment.

Closed

No work has yet been logged on this issue.

Assignee:: Chii (Inactive)

Reporter:: Guilherme Nedel (Inactive)

Affected customers:: 0 This affects my team

Watchers:: 7 Start watching this issue

Created:: 26/Apr/2012 4:54 PM

Updated:: 11/Oct/2018 9:03 AM

Resolved:: 21/May/2013 11:32 PM