-
Bug
-
Resolution: Not a bug
-
Low
-
None
-
4.13.0, 4.20.13
-
3
-
Severity 2 - Major
-
Steps to Reproduce
- In JSD project A, set the customer permission as "Who can access the portal and send requests to <project key>?": "Customers my team adds to the project"
- Confirm that the project has no customers added
- Access the portal by a customer that has access to customer portal (customer that is added to another project B but not project A). The customer is not able to access the portal and receives the error: "You do not have permission to view this Portal."
- Add a request type in project A and some custom fields in that request type (these are considered sensitive data). The custom fields should be part of the "Create issue" screen.
- Edit the permission scheme to add one of these fields "Browse Project" permission in project A:
- Reporter
- Single user
- Current assignee
- User custom field value
- Group custom field value
- Access the portal by the same customer that has access to the customer portal (customer that is added to another project B but not project A).
Expected Results
Customer will only see project B.
Actual Results
The customer sees project B and can browse request types and see custom fields (Testers in my example) associated with project A (created in step 4 above).
P.S: The customer sees "You need permission to create a request through this service project." this time.
Workaround
Remove all these entries from the "Browse Project" permission:
- Reporter
- Single user
- Current assignee
- User custom field value
- Group custom field value
- is cloned from
-
-
- In Progress
-
- relates to
-
-
- Closed
-
- mentioned in
-
Page Failed to load
[JSDSERVER-12130] "Browse Project" permission set to specific values overrides the customer permission that results in the project getting exposed in the customer portal
Hi f862a9771f32,
Apologies - typically security issues are marked as private and moved to an internal portal to avoid publishing details of existing exploits.
However, given the nature of this vulnerability, and it's existence in our product for such a long time - I've re-opened the issue and will make sure to provide updates in the ticket; as well as a Fix Version when we know it.
This issue is in our queue and we will endeavour to resolve it as soon as possible.
Thanks for understanding, let me know if you have any other questions!
Alex
Hello 2618d3c795d4,
I don't have access to the provided ticket. How would I get access?
If I don't get access, how will I know if/when/how the issue will be resolved?
Kind Regards
Hello Atlassian, this is from my point of view a security incident, as users may be able to retrieve information out of custom fields of requests they should not have access to. You could enumerate usernames, assets or other stuff this way. Please treat this with a priority.
c8bcca445054 as you resolved this issue with "Not a bug" - but JSDCLOUD-8167 still being unresolved and the bug still being present on LTS 9.12.x - will this security issue ever be fixed and if so, how will will be notified about this?
We recently had a security incident regarding this.