Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

JIra security vulnerabilities

Prachi Agarwal
Prachi Agarwal January 21, 2019

Hi Team,

Our IT team has found a security exception issue with the this URL: https://jira.lenovo.com/secure/popups/UserPickerBrowser.jspa

As we noticed, this URL isn’t asking for a login and is exposing the customer content as is (with PII information). Since our JIRA instance is open to public, it is facing a bigger security threat. Please advise on a fix asap.

Answer
Watch
Like Be the first to like this
968 views

1 answer

1 vote
Nic Brough -Adaptavist-
Nic Brough -Adaptavist-
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
Become a leader
January 21, 2019

Log in as an admin, and go to "global permissions" in the administration screens.

Find the line that says "Browse users: anyone" and click delete underneath it.

As you have a system open to the internet and one of your administrators has thought it's ok to use "anyone", I'd strongly recommend that you review all of your permission schemes as well as global permissions, and check that "anyone" is only used for read-only access to the projects you really do want to be totally public.

View More Comments
Tobias Riede
Tobias Riede December 15, 2020

Dear @Nic Brough -Adaptavist- ,

thank u for ur explanation. If i change this option, it´s no longer possible, that costumer marks me with the @ in commentar field. Is there an other option or did i missed an permission?

 

Hallo @IT TEAM23 

Like
Nic Brough -Adaptavist-
Nic Brough -Adaptavist-
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
Become a leader
December 15, 2020

No, that's the whole point of being able to turn it off.

Like
Reply

Suggest an answer

Log in or Sign up to answer
Jira Service Desk
Jira Service Management
TAGS
AUG Leaders

Atlassian Community Events

    See all events