Loading...

XML

Word

Printable

Details

Type: Bug
Resolution: Fixed
Priority: Low
Fix Version/s: 8.5.4, 7.13.13, 8.7.1
Affects Version/s: 7.13.3, 8.2.4
Component/s: Issue - Create Issue
Labels:
None

Fixed in Long Term Support Release/s:

Download 7.13, 8.5
Introduced in Version:
7.13
Support reference count:
1
Symptom Severity:
Severity 2 - Major
Bug Fix Policy:
View Atlassian Server bug fix policy

Description

Issue Summary

Permissions are set to allow a user that is not signed in to create a ticket and assign the report through the user picker. Recent releases of Jira prevent this action unless the user signs in.

Environment

Jira 7.13.3+

Steps to Reproduce

Set up a new install of Jira 7.12.x
Set the global permission "browse users" to anyone and the project permissions "create issues," "modify reporter," "browse projects," & "assign issues"
Log out
Attempt to create an issue and assign it to a user in the instance
Complete issue creation
Set up a new install of Jira 7.13.5
Grant the same permissions
Log out
Attempt to create an issue and assign it to a user

Expected Results

Same results as 7.12.x

Actual Results

An error prompting for sign in (401 error)

Notes

An unintended symptom of https://jira.atlassian.com/browse/JRASERVER-69242

Workaround

Currently, there is no known workaround for this behavior. A workaround will be added here when available.

Attachments

Issue Links

is caused by

JRASERVER-69242 Information disclosure in the /rest/api/2/user/picker rest resource - CVE-2019-3403

Closed

is duplicated by

JSWSERVER-20459 Pre-configured anonymous access to user picker breaks upon upgrading to Jira 8.4+

Closed

mentioned in: Page Loading...

relates to: RAID-1708 Loading...

Activity

People

Assignee:: Mateusz Ostaszewski

Reporter:: Liam McD (Inactive)

Votes:: 2 Vote for this issue

Watchers:: 7 Start watching this issue

Dates

Created:: 09/Aug/2019 5:01 PM

Updated:: 20/Aug/2020 11:59 PM

Resolved:: 20/Jan/2020 2:09 PM