Details
-
Bug
-
Resolution: Unresolved
-
Low
-
None
-
9.0.0, 8.20.10, 9.2.0, 9.1.1, 9.4.0, 9.3.1
-
None
-
8.2
-
2
-
Severity 3 - Minor
-
1
-
Description
Issue Summary
This is reproducible on Data Center: Yes
Jira rest api to edit issues (PUT /rest/api/2/issue/issuekey), allows assigning of a issue security level from an unrelated issue security scheme associated with a different project.
Steps to Reproduce
- Create a issuesecurityscheme by name say JIRA_Security_Scheme and associate with a project ** say ** JIRA_Application_Security.{}
- Then create a security level by name supersecure and assign to one of the issues say JAS-23. The ID for this security level can be found from the table schemeissuesecuritylevels and say its 10100
- Create another security scheme by name say Bamboo_Security_Scheme and associate with the project Bamboo_Security.
- Then create a security level by name say supersecure again under this scheme and assign it to an issue say BAM-45. The ID for this security level can be found from the table schemeissuesecuritylevels and say its 10101
- Normally in the UI you would not be able to select the supersecure security level belonging to project Bamboo_Security for the issue JAS-23 belonging to JIRA_Application_Security.{}
- But utilizing a rest api call like below you would be able to assign the wrong security level from a unrelated project to the current issue. Here we overwrite with the security level 'supersecure'(ID:10101) belonging to the security scheme Bamboo_Security to the issue JAS-23 which is associated only with ** JIRA_Application_Security and had the security level set with the same name {}supersecure but with ID:10100
curl -v -u user:pass -X PUT --data '{"fields": {"security": { "id" : "10101" }}}' -H "Content-Type:application/json" http://localhost:8080/rest/api/2/issue/JAS-23
Expected Results
- The unrelated security level should not be assignable to the issue.
- The issue should be viewable.
Actual Results
The unrelated issuesecurity level from the unrelated issue security scheme for the project gets assigned. Afterwards, the issue cannot be viewed, cannot be updated even via rest, cannot be deleted either, all due to permission issues.
Workaround
Currently we have this KB https://confluence.atlassian.com/display/JIRAKB/Issues+that+are+found+in+the+Jira+database+are+not+accessible+through+Jira+UI to find such issues. But it requires database manipulation