Details
-
Suggestion
-
Resolution: Fixed
-
36
-
Description
Context
In Jira Server/Data Center up to 8.18.x, Jira users used to be able to receive Jira notifications without being granted Application access.
From Jira server/Data Center 8.19.0, Jira users now need to have Application access (and corresponding license) to receive a Jira notification (batched and non-batched).
Details regarding this: the old behavior was detected as a security vulnerability, as any user who has been revoked Jira access should also not receive notifications, since these notifications could include confidential information. See JRASERVER-72737 for more context.
Issue
In the past, it was possible to take advantage of the old behavior and send notifications to users without application access ("non-login users"). For example, these "non-login users" were associated with a mailbox shared by a team.
Since Jira 8.19.0, this configuration is no longer possible.
Suggestions
As a Jira Administrator, I would like to create user accounts used only for corresponding notifications and not able to login to Jira. I.e. "Notification only" accounts.
Preferably those accounts should not consume Jira license.
Workaround
Grant access in Jira to those accounts.
Since Jira 8.20.6 it will be possible to revert new behaviour introduced by JRASERVER-72737 with Dark Feature Flag:
com.atlassian.jira.send.email.notifications.to.user.without.application.access.enabled
At the same time all future 8.13.x version starting 8.13.19 will have option to enable new behaviour with feature flag:
com.atlassian.jira.send.email.notifications.to.user.without.application.access.disabled
Cheers,
Jira DC Bugfix Team
Attachments
Issue Links
- relates to
-
JRASERVER-72737 Issue watchers continue receiving updates even after their Jira account is revoked - CVE-2021-39119
-
- Published
-
- is related to
-
PSR-701 Loading...
- mentioned in
-
-
-
-
-
-
-
-
-
-