Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Interests
See all
Community resources
Top groups
Explore all groups
Community resources
Celebration

Earn badges and make progress

You're on your way to the next level! Join the Kudos program to earn points and save your progress.

Deleted user Avatar
Deleted user

Level 1: Seed

25 / 150 points

Next: Root

Avatar

1 badge earned

Collect

Participate in fun challenges

Challenges come and go, but your rewards stay with you. Do more to earn more!

Challenges
Coins

Gift kudos to your peers

What goes around comes around! Share the love by gifting kudos to your peers.

Recognition
Ribbon

Rise up in the ranks

Keep earning points to reach the top of the leaderboard. It resets every quarter so you always have a chance!

Leaderboard

Join now to unlock these features and more

Come for the products,
stay for the community

The Atlassian Community can help you and your team get more value out of Atlassian products and practices.

Get started Tell me more
Atlassian Community about banner
4,560,418
Community Members
 
Community Events
185
Community Groups

One Misconfig (JIRA) to Leak Them All, and how to fix it

Aug 7, 2019

This is a response to an article published on Medium about a potential security problem many admins fall into, and has been mentioned here on Community before.

I'm almost directly quoting Jamie Echlin's original blog from Adatptavist below:

A few days ago this blog, about poor Jira configurations, circulated on Medium and social media. Although in truth this is not a new issue.

It's easy to misconfigure Jira in a way that accidentally allows that user information to be retrieved by unauthenticated users.  Less importantly, saved filter and dashboard names can also be accessed anonymously, which might provide clues about upcoming features, or leak internal information.

In recent releases Atlassian have strived to make it much clearer when you are sharing publicly, rather than just sharing within your internal organisation, but nevertheless Jira instances may already have many public filters and dashboards.

A quick fix with ScriptRunner for Jira

Fixing these is manual and often time-consuming, so we have written a script for ScriptRunner for Jira (Server and Data Center) that will report and fix these by simply replacing the single Public permission with an "Authenticated Users" permission. 


Copy it into Script Console (Admin -> Script Console) and hit the Run button.  It will list the three possible problem areas - which are:

  1. Anyone having the Browse Users permission
  2. Saved filters shared with Public (or Everyone in older versions)
  3. Saved dashboards shared with Public

If you are happy to have it fix all of these change the FIX_MODE = false to true, and re-run.

Some filters may not be able to be fixed if the owner has been deactivated - check for log messages. In these cases you could just delete the filters, or bulk transfer ownership to another user.

If you don't have ScriptRunner for Jira installed, get an evaluation license to run this as a once-off.

References

Comment
Watch
Like # people like this
1713 views

1 comment

Matt Doar__ LinkedIn
Matt Doar__ LinkedIn
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
Become a leader
Aug 07, 2019

https://forum.wordreference.com/threads/once-off-or-one-off.2025732/ not come across that one

Like

Comment

Log in or Sign up to comment
Nic Brough -Adaptavist-

Nic Brough -Adaptavist-

Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
Become a leader

About this author

Principal Consultant (Senior geek, with mentoring duties)

Adaptavist

UK

12,042 accepted answers

82,965 total posts

View profile
Jira
Jira
TAGS
AUG Leaders

Atlassian Community Events

See all events