Summary


Advisory Release Date

2022/08/30

Products

License & User Deactivator for Jira

Affected License & User Deactivator for Jira versions

4.8.1 - 4.10.2

Fixed License & User Deactivator for Jira versions

4.10.4 and upcoming versions

CVSS Score: Base Score / Temporal Score5.3


Summary

This advisory discloses a medium severity security vulnerability affecting License & User Deactivator for Jira when using License Optimizer for Jira Service Management since version 4.8.1.

Details

If you are using the License Optimizer functionality for Jira Service Management and need to assign a user that has currently no access, License Optimizer overrides the Jira /rest/api/latest/user/assignable/search response.

A missing authentication and authorization check enabled users not logged in or not having access to the specific JSM project in the REST request to retrieve users that can be assigned to an issue.

That JSON response contains usernames and email addresses, among a few other user properties:

[
   {
      "self":"https://your.jira.com/rest/api/2/user?username=sd-agent",
      "key":"JIRAUSER10400",
      "name":"sd-agent",
      "emailAddress":"sd-agent@company.com",
      "avatarUrls":{
         "48x48":"https://www.gravatar.com/avatar/cdff8c40c13bc745cb3905efece28289?d=mm&s=48",
         "24x24":"https://www.gravatar.com/avatar/cdff8c40c13bc745cb3905efece28289?d=mm&s=24",
         "16x16":"https://www.gravatar.com/avatar/cdff8c40c13bc745cb3905efece28289?d=mm&s=16",
         "32x32":"https://www.gravatar.com/avatar/cdff8c40c13bc745cb3905efece28289?d=mm&s=32"
      },
      "displayName":"Service Desk Agent",
      "active":true,
      "deleted":false,
      "timeZone":"GMT",
      "locale":"en_US"
   }
JAVA

Prerequisites

To retrieve a response like this as an unauthenticated user you still have to provide all the following parameters in the REST request:

  • a valid project key of a JSM project
  • a valid key of an issue in that project
  • a non-empty search term for the username parameter in the request that matches users who have the Service Desk Team project role



What You Need to Do

Please update the app to version 4.10.4 or future, later versions.

Support

If you have questions or concerns regarding this advisory, please raise a support request via our Support Portal.