Uploaded image for project: 'Jira Data Center'
  1. Jira Data Center
  2. JRASERVER-68144

JIRA Anonymous User Able To Search Creator Name In JQL Search When Key In Full User Name Even When Browse User Permission Doesn't Allow Anyone

XMLWordPrintable

      Summary

      JIRA Anonymous User Is Able To Search For Creator Name Via JQL Search Screen By Insert Full User Name Even When Browse User Global Permission Doesn't Allow "Anyone". This is definitely not an expected behavior if "Browse User" wasn't set to anyone.

      Although it will only show when full name entered matched, but this is still considered as a security issue. An attacker can use this bug to identify which user ID available in JIRA.

      Environment

      JIRA Version: 7.12.3

      Steps to Reproduce

      1. Open up JQL Search URL http://localhost:8080/issues/?jql= (This link can access directly even without login.
      2. Select More > Creator > Key in a username in full for example admin.jira
      3. It will show the user when username matched JIRA available user as below:-

      Expected Results

      1. It shouldn't show any username.
      2. Besides, we shouldn't even able to access the JQL page if anonymous user access is not allowed.

      Actual Results

      1. JQL Page Opened and we are able to key in full username, JIRA will show it out when it is available in JIRA user directory.

      Workaround

      Installing this plugin will force the user to login before they able to access to JQL Search page
      https://marketplace.atlassian.com/apps/1213129/prevent-anonymous-access?hosting=server&tab=support

        1. image-2018-10-23-16-17-55-782.png
          102 kB
          Danson

            pprzytarski Pawel Przytarski
            dkoh Danson (Inactive)
            Votes:
            3 Vote for this issue
            Watchers:
            10 Start watching this issue

              Created:
              Updated:
              Resolved: