statTypes REST API exposes all statistics field names anonymously

XMLWordPrintable

    • 5

      On an instance with no anonymous access enabled, /rest/gadget/1.0/statTypes returns a list of all stattable custom fields (names and IDs) in the instance in response to anonymous requests.

      This is a nasty exposure of data - admins have no way of knowing that private data shouldn't be put into custom field names. For example, on our own private JIRA instance for tracking QA recruitment, the field names give a fair bit of information away about the intent of the questions and the attributes we're judging candidates by.

      I know we don't have field-level permissions, but there's got to be some existing permission we can sensibly enforce on this REST API to limit the exposure.

      Discovered by hnguyen@atlassian.com .

              Assignee:
              Oswaldo Hernandez (Inactive)
              Reporter:
              Penny Wyatt (On Leave to July 2021)
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Created:
                Updated:
                Resolved: