Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Browse users and groups permission is removed and still able to fetch users. Is this a vulnerabilit?

Gopesh Sharma
Gopesh Sharma June 15, 2021

Hi,

I am a security researcher and i reported an issue where i removed global permission of Browse users and groups from the jira-software-users group. But there is one endpoint which allowed jira-software users to fetch all users information excluding emails.I cross checked everything if this was a false positive but this is a genuine bug and I believe this is a security issue. Can someone clarify how this permission is relevant ?

Answer
Watch
Like Be the first to like this
356 views

1 answer

0 votes
Rachel Wright
Rachel Wright
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
Become a leader
June 15, 2021

Hi @Gopesh Sharma , I think you'll need someone from Atlassian to weigh in on whether what you've found is intended or not.

I recently took the skillbuilder course for the ASB-150 exam (https://www.atlassian.com/university/certification/badges/exam-asb-150) and learned some additional things I didn't previously know about the "Browse users" permission.

I'm quoting the authors of the course and added some highlights:

"From the permission name, you might assume that if a user is not granted
this permission, they will not be able to see other users at all in Jira. This is not the case. If
the user does NOT have the Browse Users global permission, they can still view other
users profiles. They can view an issue’s assignee and an issue’s reporter. They will also
see other user details in other areas of Jira, such as where another user has added a
comment. Without the Browse Users global permission, users can NOT browse for users in most picker menus. There are some exceptions..."

There's more info about this permission in the free course.  I hope that sheds some new light on how this permission works. I would personally love to have a list of which user picker menus are the exception!

Hope this helps,

Rachel Wright
Author, Jira Strategy Admin Workbook

View More Comments
Gopesh Sharma
Gopesh Sharma June 16, 2021

Yes, you are right. The browse users and groups permission doesn’t implement on Assignee or reporters field but the Assignee and Reporter field only shows the project members not all jira users. But the endpoint that i reported leaks all users information which is why i reported the issue at the first place. 

Like
Reply

Suggest an answer

Log in or Sign up to answer
Jira
Jira Software
DEPLOYMENT TYPE
CLOUD
PRODUCT PLAN
PREMIUM
PERMISSIONS LEVEL
Site Admin
TAGS
AUG Leaders

Atlassian Community Events

    See all events