-
Type:
Bug
-
Resolution: Fixed
-
Priority:
Medium
-
Affects Version/s: 5.1.1, 5.1.4
-
Component/s: REST API
-
5.01
-
4
REST endpoints to search groups and to list issue resolutions allow anonymous/unauthenticated access.
The former allows to enumerate all groups on a JIRA instance (by sending multiple queries as results are limited by jira.ajax.autocomplete.limit). We've verified this on an instance without any public projects / groups / whatsoever running version 5.1.1.
For an example see:
https://jira.atlassian.com/rest/api/2/groups/picker
https://jira.atlassian.com/rest/api/2/resolution
