Status: Closed (View Workflow)
Permissions are set to allow a user that is not signed in to create a ticket and assign the report through the user picker. Recent releases of Jira prevent this action unless the user signs in.
Steps to Reproduce
- Set up a new install of Jira 7.12.x
- Set the global permission "browse users" to anyone and the project permissions "create issues," "modify reporter," "browse projects," & "assign issues"
- Log out
- Attempt to create an issue and assign it to a user in the instance
- Complete issue creation
- Set up a new install of Jira 7.13.5
- Grant the same permissions
- Log out
- Attempt to create an issue and assign it to a user
Same results as 7.12.x
An error prompting for sign in (401 error)
An unintended symptom of https://jira.atlassian.com/browse/JRASERVER-69242
Currently, there is no known workaround for this behavior. A workaround will be added here when available.
- is caused by
JRASERVER-69242 Information disclosure in the /rest/api/2/user/picker rest resource - CVE-2019-3403
- is duplicated by
JSWSERVER-20459 Pre-configured anonymous access to user picker breaks upon upgrading to Jira 8.4+
- mentioned in
- relates to