The picker function in /rest/api/2/user/picker allows an anonymous user to conduct queries. If a valid username is queried, the application provides details about the user to include their email address.
The API documentation available here: https://docs.atlassian.com/software/jira/docs/api/REST/6.2/ states that this method cannot be accessed anonymously. Furthermore, the 'anyone' group has been removed from the 'Browse Users' permission in the global permissions, yet the issue persists.
Please assist in restricting the ability of the anonymous user to conduct picker queries through the API.
where is the anonymous access being performed as it should not be possible as stated.
however if you enter the rest call in a browser where you are logged into Jira then you will get a response. But it is not anonymous.
Hi Tom,
The request can be performed through curl, web proxy, or even through the web browser. The responses are all the same and are done without authenticating to the application. In fact, when I review the response in burp it even has the following header ‘x-ausername: anonymous’
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
The permission condition in the latest docs is
Permissions required: Browse users and groups global permission. Users with permission to access Jira can call this operation, but will only get search results for an exact name match.
Check what browse permissions are set to.
Are you cloud or server? Is your instance public?
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi
I tried this on my server and it allowed anonymous as you said and I couldn’t find an option to prevent it. Some Rest apis are intended to allow anonymous access but the documentation suggests this one isn’t one of those.
maybe one for Atlassian support. Would probably fail most penetration tests for web apps.
I wondered whether it was my connected to my server being a service desk and related to allowing users without accounts to submit tickets.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Tom,
Thanks for confirming. I tested this on a clean server instance, out of the box. It appears to be a default setting somewhere or a misconfiguration. Unfortunately, I am on a trial instance and do not believe I have the ability to open a ticket with support. Any idea on how this anonymous access can be restricted, through the GUI or the corresponding code on the backend? Thanks for your help.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Thanks for taking the time to open an issue on this. Hopefully they can get a fix out soon.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
We had a pentester discover this same issue on our internal JIRA Server instance. I'm unable to access the issue that @Tom Lister linked above. Was this ever resolved? What was the fix/workaround?
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.