Create
cancel
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Deleted user
0 / 0 points
Next:
badges earned

Your Points Tracker
Challenges
Leaderboard
  • Global
  • Feed

Badge for your thoughts?

You're enrolled in our new beta rewards program. Join our group to get the inside scoop and share your feedback.

Join group
Recognition
Give the gift of kudos
You have 0 kudos available to give
Who do you want to recognize?
Why do you want to recognize them?
Kudos
Great job appreciating your peers!
Check back soon to give more kudos.

Past Kudos Given
No kudos given
You haven't given any kudos yet. Share the love above and you'll see it here.

It's not the same without you

Join the community to find out what other Atlassian users are discussing, debating and creating.

Atlassian Community Hero Image Collage

How can you prevent Anonymous Users from conducting queries over the API using the picker function? Edited

The picker function in /rest/api/2/user/picker allows an anonymous user to conduct queries. If a valid username is queried, the application provides details about the user to include their email address. 

The API documentation available here: https://docs.atlassian.com/software/jira/docs/api/REST/6.2/ states that this method cannot be accessed anonymously. Furthermore, the 'anyone' group has been removed from the 'Browse Users' permission in the global permissions, yet the issue persists. 

Please assist in restricting the ability of the anonymous user to conduct picker queries through the API. 

1 answer

0 votes
tom lister Community Leader Feb 01, 2019

Hi @Security Researcher

where is the anonymous access being performed as it should not be possible as stated.

however if you enter the rest call in a browser where you are logged into Jira then you will get a response. But it is not anonymous.

Hi Tom,

The request can be performed through curl, web proxy, or even through the web browser. The responses are all the same and are done without authenticating to the application. In fact, when I review the response in burp it even has the following  header ‘x-ausername: anonymous’

tom lister Community Leader Feb 01, 2019

Hi @Security Researcher

The permission condition in the latest docs is

Permissions required: Browse users and groups global permission. Users with permission to access Jira can call this operation, but will only get search results for an exact name match.

Check what browse permissions are set to.

Are you cloud or server? Is your instance public?

Like Dave_Liao likes this
tom lister Community Leader Feb 03, 2019

Hi

I tried this on my server and it allowed anonymous as you said and I couldn’t find an option to prevent it. Some Rest apis are intended to allow anonymous access but the documentation suggests this one isn’t one of those.

maybe one for Atlassian support. Would probably fail most penetration tests for web apps.

I wondered whether it was my connected to my server being a service desk and related to allowing users without accounts to submit tickets.

Hi Tom,

 

Thanks for confirming. I tested this on a clean server instance, out of the box. It appears to be a default setting somewhere or a misconfiguration. Unfortunately, I am on a trial instance and do not believe I have the ability to open a ticket with support. Any idea on how this anonymous access can be restricted, through the GUI or the corresponding code on the backend? Thanks for your help.

Like Security Researcher likes this

Thanks for taking the time to open an issue on this. Hopefully they can get a fix out soon.

We had a pentester discover this same issue on our internal JIRA Server instance.  I'm unable to access the issue that @tom lister linked above.  Was this ever resolved?  What was the fix/workaround?

Suggest an answer

Log in or Sign up to answer
TAGS

Community Events

Connect with like-minded Atlassian users at free events near you!

Find an event

Connect with like-minded Atlassian users at free events near you!

Unfortunately there are no Community Events near you at the moment.

Host an event

You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events

Events near you