From 981979d905ac71674e4d0476e6182c871a593f19 Mon Sep 17 00:00:00 2001 From: Techbrunch Date: Mon, 6 Jul 2020 18:02:11 +0200 Subject: [PATCH] Create jira-unauthenticated-dashboards.yaml If public sharing is ON it allows users to share dashboards and filters with all users including those that are not logged in. Those dashboard and filters could reveal potentially sensitive information. --- .../jira-unauthenticated-dashboards.yaml | 29 +++++++++++++++++++ 1 file changed, 29 insertions(+) create mode 100644 security-misconfiguration/jira-unauthenticated-dashboards.yaml diff --git a/security-misconfiguration/jira-unauthenticated-dashboards.yaml b/security-misconfiguration/jira-unauthenticated-dashboards.yaml new file mode 100644 index 0000000000..5972b321f7 --- /dev/null +++ b/security-misconfiguration/jira-unauthenticated-dashboards.yaml @@ -0,0 +1,29 @@ +id: jira-unauthenticated-dashboards + +# If public sharing is ON it allows users to share dashboards and filters with all users including +# those that are not logged in. Those dashboard and filters could reveal potentially sensitive information. + +info: + name: Jira Unauthenticated Dashboards + author: TechbrunchFR + severity: Info + +requests: + - method: GET + path: + - "{{BaseURL}}/rest/api/2/dashboard?maxResults=100" + matchers: + - type: word + words: + - 'dashboards' + - 'startAt' + - 'maxResults' + condition: and + +# Remediation: +# Ensure that this permission is restricted to specific groups that require it. +# You can restrict it in Administration > System > Global Permissions. +# Turning the feature off will not affect existing filters and dashboards. +# If you change this setting, you will still need to update the existing filters and dashboards if they have already been +# shared publicly. +# Since Jira 7.2.10, a dark feature to disable site-wide anonymous access was introduced.