Loading...

XML

Word

Printable

Details

Type: Bug
Resolution: Not a bug
Priority: Low
Fix Version/s: None
Affects Version/s: 6.4.10
Component/s: Navigation - Search
Labels:
- affects-server

Introduced in Version:
6.04
Bug Fix Policy:
View Atlassian Server bug fix policy

Description

Summary

Anonymous users are able to search for users from the issue navigator.
Only when the Anonymous users types the full username.
Browse users permission has been restricted to but this does not prevent anonymous users to find JIRA users by typing their full username.
There might be a security concern as such :

A cracker would use automated trials using a list of common (user) names, find some hundreds of them (easily, including the first issue with those public filters), there needs just be one weak password and he's in.

Steps to Reproduce

Configure browse permissions for a project to "Anyone"
Create a user name for example John
Access JIRA's issue navigator without logging in ( As anonymous user). /issues/?jql=
Type John on the Assignee Field

Expected Results

Should not display/confirm that the user exists

Actual Results

Auto-complete/Suggestion appears that the username John exist.

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List

screen.png
55 kB
26/Aug/2015 9:36 AM

Issue Links

is related to

JRASERVER-44685 Password reset messages are misleading

Gathering Interest

relates to

JRASERVER-68144 JIRA Anonymous User Able To Search Creator Name In JQL Search When Key In Full User Name Even When Browse User Permission Doesn't Allow Anyone

Closed

JRASERVER-34165 username visisble to anonymous users

Closed

Activity

People

Assignee:: Unassigned

Reporter:: Adrian Stephen

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 24/Aug/2015 12:34 PM

Updated:: 28/Mar/2019 12:18 AM

Resolved:: 25/Aug/2015 4:45 AM