Browsing /jira/rest/api/2/user/picker as an unauthenticated user should return 401

XMLWordPrintable

    • Type: Bug
    • Resolution: Unresolved
    • Priority: Low
    • None
    • Affects Version/s: 8.20.5, 10.4.0
    • Component/s: REST API
    • 8.2
    • 2
    • Severity 3 - Minor
    • 1

      Issue Summary

      Browsing <JIRA_BASE_URL>/jira/rest/api/2/user/picker?query=username as unauthenticated always returns 404, along with the following message:

      {"errorMessages":["The user named '{0}' does not exist"],"errors":{}}

      Steps to Reproduce

      1. Open an browser private window
      2. Browse <JIRA_BASE_URL>/jira/rest/api/2/user/picker?query=username_that_exists
      3. Browse <JIRA_BASE_URL>/jira/rest/api/2/user/picker?query=username_that_does_not_exist

      Expected Results

      In both cases, a HTTP 401 Unauthorized should be returned.
      Also, ideally, it would be good if the message returned was something like "Access denied". 

      Actual Results

      An HTTP 404 not found is returned in both cases, and the error message "The user named '

      {0}

      ' does not exist"" is returned.

      Workaround

      None

      Notes
      All this doesn't allow user enumeration because the response is always a 404, it does give the attacker a hint that user enumeration is possible.

              Assignee:
              Unassigned
              Reporter:
              Arbi Dridi
              Votes:
              5 Vote for this issue
              Watchers:
              7 Start watching this issue

                Created:
                Updated: