Details
-
Bug
-
Resolution: Not a bug
-
Low
-
None
-
6.4.10
-
6.04
-
Description
Summary
- Anonymous users are able to search for users from the issue navigator.
- Only when the Anonymous users types the full username.
- Browse users permission has been restricted to but this does not prevent anonymous users to find JIRA users by typing their full username.
- There might be a security concern as such :
A cracker would use automated trials using a list of common (user) names, find some hundreds of them (easily, including the first issue with those public filters), there needs just be one weak password and he's in.
Steps to Reproduce
- Configure browse permissions for a project to "Anyone"
- Create a user name for example John
- Access JIRA's issue navigator without logging in ( As anonymous user). /issues/?jql=
- Type John on the Assignee Field
Expected Results
- Should not display/confirm that the user exists
Actual Results
- Auto-complete/Suggestion appears that the username John exist.
Attachments
Issue Links
- is related to
-
JRASERVER-44685 Password reset messages are misleading
- Gathering Interest
- relates to
-
JRASERVER-68144 JIRA Anonymous User Able To Search Creator Name In JQL Search When Key In Full User Name Even When Browse User Permission Doesn't Allow Anyone
- Closed
-
JRASERVER-34165 username visisble to anonymous users
- Closed