Hi,
I am a security researcher and i reported an issue where i removed global permission of Browse users and groups from the jira-software-users group. But there is one endpoint which allowed jira-software users to fetch all users information excluding emails.I cross checked everything if this was a false positive but this is a genuine bug and I believe this is a security issue. Can someone clarify how this permission is relevant ?
Hi @Gopesh Sharma , I think you'll need someone from Atlassian to weigh in on whether what you've found is intended or not.
I recently took the skillbuilder course for the ASB-150 exam (https://www.atlassian.com/university/certification/badges/exam-asb-150) and learned some additional things I didn't previously know about the "Browse users" permission.
I'm quoting the authors of the course and added some highlights:
"From the permission name, you might assume that if a user is not granted
this permission, they will not be able to see other users at all in Jira. This is not the case. If
the user does NOT have the Browse Users global permission, they can still view other
users profiles. They can view an issue’s assignee and an issue’s reporter. They will also
see other user details in other areas of Jira, such as where another user has added a
comment. Without the Browse Users global permission, users can NOT browse for users in most picker menus. There are some exceptions..."
There's more info about this permission in the free course. I hope that sheds some new light on how this permission works. I would personally love to have a list of which user picker menus are the exception!
Hope this helps,
Rachel Wright
Author, Jira Strategy Admin Workbook
Yes, you are right. The browse users and groups permission doesn’t implement on Assignee or reporters field but the Assignee and Reporter field only shows the project members not all jira users. But the endpoint that i reported leaks all users information which is why i reported the issue at the first place.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.