Forums
Home Product Q&A Discussion groups Articles Ask a question Search
Learning
Events
Champions

Forums

Articles
Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Product Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

How can you prevent Anonymous Users from conducting queries over the API using the picker function?

Security Researcher
Security Researcher February 1, 2019

The picker function in /rest/api/2/user/picker allows an anonymous user to conduct queries. If a valid username is queried, the application provides details about the user to include their email address. 

The API documentation available here: https://docs.atlassian.com/software/jira/docs/api/REST/6.2/ states that this method cannot be accessed anonymously. Furthermore, the 'anyone' group has been removed from the 'Browse Users' permission in the global permissions, yet the issue persists. 

Please assist in restricting the ability of the anonymous user to conduct picker queries through the API. 

Answer
Watch
Like Be the first to like this
1108 views

1 answer

0 votes
Tom Lister
Tom Lister
Community Champion
February 1, 2019

Hi @Security Researcher

where is the anonymous access being performed as it should not be possible as stated.

however if you enter the rest call in a browser where you are logged into Jira then you will get a response. But it is not anonymous.

View More Comments
Security Researcher
Security Researcher February 1, 2019

Hi Tom,

The request can be performed through curl, web proxy, or even through the web browser. The responses are all the same and are done without authenticating to the application. In fact, when I review the response in burp it even has the following  header ‘x-ausername: anonymous’

Like
Tom Lister
Tom Lister
Community Champion
February 1, 2019

Hi @Security Researcher

The permission condition in the latest docs is

Permissions required: Browse users and groups global permission. Users with permission to access Jira can call this operation, but will only get search results for an exact name match.

Check what browse permissions are set to.

Are you cloud or server? Is your instance public?

Like Dave Liao likes this
Tom Lister
Tom Lister
Community Champion
February 3, 2019

Hi

I tried this on my server and it allowed anonymous as you said and I couldn’t find an option to prevent it. Some Rest apis are intended to allow anonymous access but the documentation suggests this one isn’t one of those.

maybe one for Atlassian support. Would probably fail most penetration tests for web apps.

I wondered whether it was my connected to my server being a service desk and related to allowing users without accounts to submit tickets.

Like
Security Researcher
Security Researcher February 4, 2019

Hi Tom,

 

Thanks for confirming. I tested this on a clean server instance, out of the box. It appears to be a default setting somewhere or a misconfiguration. Unfortunately, I am on a trial instance and do not believe I have the ability to open a ticket with support. Any idea on how this anonymous access can be restricted, through the GUI or the corresponding code on the backend? Thanks for your help.

Like
Like Security Researcher likes this
Security Researcher
Security Researcher February 7, 2019

Thanks for taking the time to open an issue on this. Hopefully they can get a fix out soon.

Like
Justin Ellison
Justin Ellison
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
June 3, 2021

We had a pentester discover this same issue on our internal JIRA Server instance.  I'm unable to access the issue that @Tom Lister linked above.  Was this ever resolved?  What was the fix/workaround?

Like
Reply

Suggest an answer

Log in or Sign up to answer
Jira
Jira
TAGS
AUG Leaders

Atlassian Community Events

    See all events
    Community
    Forums
    FAQs Forums guidelines
    Learning
    About learning Resources
    Events
    Champions
    Copyright © 2025 Atlassian
    Privacy Policy Notice at Collection Terms Security