[CRUC-7516] It is possible to access the list of patches in a review and their content by unprivileged users - Create and track feature requests for Atlassian products.

XML

Word

Printable

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Medium
Resolution: Fixed
Affects Version/s: 2.10.0, 3.0.0
Fix Version/s: 3.9.2
Component/s: None
Labels:

Bug Fix Policy:
View Atlassian Server bug fix policy

Description

We've discovered and fixed a security issue, where the attacker could (using the REST API):

access the list of patches in a review (their filename, database id upload date and anchor details) without authentication
access the patch content for any review as long as he had view access to any other review on the server

Attachments

Activity

People

Assignee:: Unassigned

Reporter:: Lukasz Pater

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 01/Dec/2015 10:54 AM

Updated:: 09/Aug/2017 7:35 AM

Resolved:: 01/Dec/2015 10:56 AM