From 0fc1212d8f20f4ff9ee47650cbfc945539f174b4 Mon Sep 17 00:00:00 2001 From: Techbrunch Date: Mon, 6 Jul 2020 12:23:09 +0200 Subject: [PATCH] Create jira-unauthenticated-user-picker.yaml Through the user picker functionality within Jira your user base information could be available to anonymous users. The Browse User Global Permission allows a user to view a list of all Jira user names and group names, share issues, and @mention people on issues. This is used for selecting users/groups in popup screens and also enables auto-completion of usernames in most 'User Picker' menus and popups. If you grant this permission to the Anyone group, you will be allowing anonymous users access to the endpoints that provide a list of users. Remediation: Ensure that this permission is restricted to specific groups that require it. You can restrict it in Administration > System > Global Permissions. --- .../jira-unauthenticated-user-picker.yaml | 15 +++++++++++++++ 1 file changed, 15 insertions(+) create mode 100644 security-misconfiguration/jira-unauthenticated-user-picker.yaml diff --git a/security-misconfiguration/jira-unauthenticated-user-picker.yaml b/security-misconfiguration/jira-unauthenticated-user-picker.yaml new file mode 100644 index 0000000000..ce607b5556 --- /dev/null +++ b/security-misconfiguration/jira-unauthenticated-user-picker.yaml @@ -0,0 +1,15 @@ +id: jira-unauthenticated-user-picker + +info: + name: Jira Unauthenticated User Picker + author: TechbrunchFR + severity: High + +requests: + - method: GET + path: + - "{{BaseURL}}/secure/popups/UserPickerBrowser.jspa" + matchers: + - type: word + words: + - 'user-picker'