Create
cancel
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in

It's not the same without you

Join the community to find out what other Atlassian users are discussing, debating and creating.

Atlassian Community Hero Image Collage

Browse users and groups permission is removed and still able to fetch users. Is this a vulnerabilit?

Hi,

I am a security researcher and i reported an issue where i removed global permission of Browse users and groups from the jira-software-users group. But there is one endpoint which allowed jira-software users to fetch all users information excluding emails.I cross checked everything if this was a false positive but this is a genuine bug and I believe this is a security issue. Can someone clarify how this permission is relevant ?

1 answer

0 votes
Rachel Wright Community Leader Jun 15, 2021

Hi @Gopesh Sharma , I think you'll need someone from Atlassian to weigh in on whether what you've found is intended or not.

I recently took the skillbuilder course for the ASB-150 exam (https://www.atlassian.com/university/certification/badges/exam-asb-150) and learned some additional things I didn't previously know about the "Browse users" permission.

I'm quoting the authors of the course and added some highlights:

"From the permission name, you might assume that if a user is not granted
this permission, they will not be able to see other users at all in Jira. This is not the case. If
the user does NOT have the Browse Users global permission, they can still view other
users profiles. They can view an issue’s assignee and an issue’s reporter. They will also
see other user details in other areas of Jira, such as where another user has added a
comment. Without the Browse Users global permission, users can NOT browse for users in most picker menus. There are some exceptions..."

There's more info about this permission in the free course.  I hope that sheds some new light on how this permission works. I would personally love to have a list of which user picker menus are the exception!

Hope this helps,

Rachel Wright
Author, Jira Strategy Admin Workbook

Yes, you are right. The browse users and groups permission doesn’t implement on Assignee or reporters field but the Assignee and Reporter field only shows the project members not all jira users. But the endpoint that i reported leaks all users information which is why i reported the issue at the first place. 

Suggest an answer

Log in or Sign up to answer
DEPLOYMENT TYPE
CLOUD
PRODUCT PLAN
PREMIUM
PERMISSIONS LEVEL
Site Admin
TAGS
Community showcase
Published in Jira

⏰ Day in the life of a Jira Admin!

Hello Community! We thoroughly enjoyed this just-for-fun conversation in the Jira Admin Group about what it's like to be a Jira Admin. For #JiraJuly, our talented designers created these graphics t...

504 views 2 17
Read article

Community Events

Connect with like-minded Atlassian users at free events near you!

Find an event

Connect with like-minded Atlassian users at free events near you!

Unfortunately there are no Community Events near you at the moment.

Host an event

You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events

Events near you