Uploaded image for project: 'Jira Data Center'
  1. Jira Data Center
  2. JRASERVER-44932

Anonymous users able to search for JIRA users from issue navigator



      • Anonymous users are able to search for users from the issue navigator.
      • Only when the Anonymous users types the full username.
      • Browse users permission has been restricted to but this does not prevent anonymous users to find JIRA users by typing their full username.
      • There might be a security concern as such :

        A cracker would use automated trials using a list of common (user) names, find some hundreds of them (easily, including the first issue with those public filters), there needs just be one weak password and he's in.

      Steps to Reproduce

      1. Configure browse permissions for a project to "Anyone"
      2. Create a user name for example John
      3. Access JIRA's issue navigator without logging in ( As anonymous user). /issues/?jql=
      4. Type John on the Assignee Field

      Expected Results

      1. Should not display/confirm that the user exists

      Actual Results

      1. Auto-complete/Suggestion appears that the username John exist.

        1. screen.png
          55 kB
          Adrian Stephen

            Unassigned Unassigned
            astephen@atlassian.com Adrian Stephen
            0 Vote for this issue
            3 Start watching this issue
