-
Bug
-
Resolution: Unresolved
-
Low (View bug fix roadmap)
-
None
-
None
-
None
-
1
-
A vulnerability has been detected in the filter manager, in the 'Popular' section, it has been seen that users can see the popular filters, without having previous permissions in that filter or in the project.
In itself, they can not see the content of the filter as such, or the commands that make it up, but they can see the description, the owner, among others.
My question is, if this can be solved in some way, such as disabling the Popular section in the filter manager, or if this vulnerability will be solved in the future.
Users cannot see the issues themselves (in this example) but can view the filter name, owner, and popularity. Without logging in a subset of our filters are visible here: <base url>/secure/ManageFilters.jspa#filterView=popular
Our permissions do not allow any anonymous access to the projects mentioned in these filters. The filters are shared with everyone. If this is not a bug can you please describe the functionality of anonymous access to filters so that we can configure JIRA correctly to prevent this data leakage. (It appears that filters shared with Everyone can be seen anonymously even if the issues contained within cannot.)
- duplicates
-
JRASERVER-23255 Shared filters are visible to anonymous users when shared with 'Everyone'
- Closed
- is cloned from
-
-
- Closed
-
- relates to
-
-
- Closed
-
Vulnerability in the filter manager - Anonymous users can access popular filters w/out permission
A vulnerability has been detected in the filter manager, in the 'Popular' section, it has been seen that users can see the popular filters, without having previous permissions in that filter or in the project.
In itself, they can not see the content of the filter as such, or the commands that make it up, but they can see the description, the owner, among others.
My question is, if this can be solved in some way, such as disabling the Popular section in the filter manager, or if this vulnerability will be solved in the future.
Users cannot see the issues themselves (in this example) but can view the filter name, owner, and popularity. Without logging in a subset of our filters are visible here: <base url>/secure/ManageFilters.jspa#filterView=popular
Our permissions do not allow any anonymous access to the projects mentioned in these filters. The filters are shared with everyone. If this is not a bug can you please describe the functionality of anonymous access to filters so that we can configure JIRA correctly to prevent this data leakage. (It appears that filters shared with Everyone can be seen anonymously even if the issues contained within cannot.)
- duplicates
-
- Closed
- is cloned from
-
-
- Closed
-
- relates to
-
-
- Closed
-
-
Unassigned
-
Leonardo Souto
- Votes:
-
0 Vote for this issue
- Watchers:
-
1 Start watching this issue
- Created:
- Updated: