Hi Tom,

The request can be performed through curl, web proxy, or even through the web browser. The responses are all the same and are done without authenticating to the application. In fact, when I review the response in burp it even has the following  header ‘x-ausername: anonymous’

Hi @Security Researcher

The permission condition in the latest docs is

Permissions required: Browse users and groups global permission. Users with permission to access Jira can call this operation, but will only get search results for an exact name match.

Check what browse permissions are set to.

Are you cloud or server? Is your instance public?

Hi

I tried this on my server and it allowed anonymous as you said and I couldn’t find an option to prevent it. Some Rest apis are intended to allow anonymous access but the documentation suggests this one isn’t one of those.

maybe one for Atlassian support. Would probably fail most penetration tests for web apps.

I wondered whether it was my connected to my server being a service desk and related to allowing users without accounts to submit tickets.

Hi Tom,

Thanks for confirming. I tested this on a clean server instance, out of the box. It appears to be a default setting somewhere or a misconfiguration. Unfortunately, I am on a trial instance and do not believe I have the ability to open a ticket with support. Any idea on how this anonymous access can be restricted, through the GUI or the corresponding code on the backend? Thanks for your help.

Hi

I've reported this as issue SDS-38996

https://getsupport.atlassian.com/servicedesk/customer/portal/3/SDS-38996?_ga=2.225697042.963325432.1549274678-629313705.1547215270

Thanks for taking the time to open an issue on this. Hopefully they can get a fix out soon.

We had a pentester discover this same issue on our internal JIRA Server instance.  I'm unable to access the issue that @tom lister linked above.  Was this ever resolved?  What was the fix/workaround?