Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
It's not the same without you

Join the community to find out what other Atlassian users are discussing, debating and creating.

Atlassian Community Hero Image Collage

One Misconfig (JIRA) to Leak Them All, and how to fix it

This is a response to an article published on Medium about a potential security problem many admins fall into, and has been mentioned here on Community before.

I'm almost directly quoting Jamie Echlin's original blog from Adatptavist below:

A few days ago this blog, about poor Jira configurations, circulated on Medium and social media. Although in truth this is not a new issue.

It's easy to misconfigure Jira in a way that accidentally allows that user information to be retrieved by unauthenticated users.  Less importantly, saved filter and dashboard names can also be accessed anonymously, which might provide clues about upcoming features, or leak internal information.

In recent releases Atlassian have strived to make it much clearer when you are sharing publicly, rather than just sharing within your internal organisation, but nevertheless Jira instances may already have many public filters and dashboards.

A quick fix with ScriptRunner for Jira

Fixing these is manual and often time-consuming, so we have written a script for ScriptRunner for Jira (Server and Data Center) that will report and fix these by simply replacing the single Public permission with an "Authenticated Users" permission. 

Copy it into Script Console (Admin -> Script Console) and hit the Run button.  It will list the three possible problem areas - which are:

  1. Anyone having the Browse Users permission
  2. Saved filters shared with Public (or Everyone in older versions)
  3. Saved dashboards shared with Public

If you are happy to have it fix all of these change the FIX_MODE = false to true, and re-run.

Some filters may not be able to be fixed if the owner has been deactivated - check for log messages. In these cases you could just delete the filters, or bulk transfer ownership to another user.

If you don't have ScriptRunner for Jira installed, get an evaluation license to run this as a once-off.



Log in or Sign up to comment

Community Events

Connect with like-minded Atlassian users at free events near you!

Find an event

Connect with like-minded Atlassian users at free events near you!

Unfortunately there are no Community Events near you at the moment.

Host an event

You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events

Events near you