Uploaded image for project: 'Jira Data Center'
  1. Jira Data Center
  2. JRASERVER-74605

Jira rest api allows assigning of a security level from a unrelated issue security scheme

    XMLWordPrintable

Details

    • Bug
    • Resolution: Unresolved
    • Low
    • None
    • 9.0.0, 8.20.10, 9.2.0, 9.1.1, 9.4.0, 9.3.1
    • Issue - Actions
    • None

    Description

      Issue Summary

      This is reproducible on Data Center: Yes

      Jira rest api to edit issues (PUT /rest/api/2/issue/issuekey), allows assigning of a issue security level from an unrelated issue security scheme associated with a different project.

      Steps to Reproduce

      1. Create a issuesecurityscheme by name say JIRA_Security_Scheme and associate with a project ** say ** JIRA_Application_Security.{}
      2. Then create a security level by name supersecure and assign to one of the issues say JAS-23. The ID for this security level can be found from the table schemeissuesecuritylevels and say its 10100
      3. Create another security scheme by name say Bamboo_Security_Scheme and associate with the project Bamboo_Security.
      4. Then create a security level by name say supersecure again under this scheme and assign it to an issue say BAM-45. The ID for this security level can be found from the table schemeissuesecuritylevels and say its 10101
      5. Normally in the UI you would not be able to select the supersecure security level belonging to project Bamboo_Security for the issue JAS-23 belonging to JIRA_Application_Security.{}
      6. But utilizing a rest api call like below you would be able to assign the wrong security level from a unrelated project to the current issue. Here we overwrite with the security level 'supersecure'(ID:10101) belonging to the security scheme Bamboo_Security to the issue JAS-23 which is associated only with ** JIRA_Application_Security and had the security level set with the same name {}supersecure but with ID:10100
      curl -v -u user:pass -X PUT --data '{"fields": {"security": { "id" : "10101" }}}' -H "Content-Type:application/json" http://localhost:8080/rest/api/2/issue/JAS-23

      Expected Results

      1. The unrelated security level should not be assignable to the issue.
      2. The issue should be viewable.

      Actual Results

      The unrelated issuesecurity level from the unrelated issue security scheme for the project gets assigned. Afterwards, the issue cannot be viewed, cannot be updated even via rest, cannot be deleted either, all due to permission issues.

      Workaround

      Currently we have this KB https://confluence.atlassian.com/display/JIRAKB/Issues+that+are+found+in+the+Jira+database+are+not+accessible+through+Jira+UI to find such issues. But it requires database manipulation

      Attachments

        Activity

          People

            Unassigned Unassigned
            svenkatachari shrivatsaa
            Votes:
            6 Vote for this issue
            Watchers:
            8 Start watching this issue

            Dates

              Created:
              Updated: