-
Bug
-
Resolution: Duplicate
-
Medium
-
None
-
7.12.3
-
7.12
-
2
-
Severity 2 - Major
-
Summary
JIRA Anonymous User Is Able To Search For Creator Name Via JQL Search Screen By Insert Full User Name Even When Browse User Global Permission Doesn't Allow "Anyone". This is definitely not an expected behavior if "Browse User" wasn't set to anyone.
Although it will only show when full name entered matched, but this is still considered as a security issue. An attacker can use this bug to identify which user ID available in JIRA.
Environment
JIRA Version: 7.12.3
Steps to Reproduce
- Open up JQL Search URL http://localhost:8080/issues/?jql= (This link can access directly even without login.
- Select More > Creator > Key in a username in full for example admin.jira
- It will show the user when username matched JIRA available user as below:-
Expected Results
- It shouldn't show any username.
- Besides, we shouldn't even able to access the JQL page if anonymous user access is not allowed.
Actual Results
- JQL Page Opened and we are able to key in full username, JIRA will show it out when it is available in JIRA user directory.
Workaround
Installing this plugin will force the user to login before they able to access to JQL Search page
https://marketplace.atlassian.com/apps/1213129/prevent-anonymous-access?hosting=server&tab=support
- is related to
-
JRASERVER-44932 Anonymous users able to search for JIRA users from issue navigator
-
- Closed
-
- mentioned in
-
Page Loading...