User DeactivatorUser Deactivator
Try For Free

2022-08-30 Missing Authentication & Authorization Checks On Assignee Search REST Endpoint


Summary


Advisory Release Date

2022/08/30

Products

License & User Deactivator for Jira

Affected License & User Deactivator for Jira versions

4.8.1 - 4.10.2

Fixed License & User Deactivator for Jira versions

4.10.4 and upcoming versions

CVSS Score: Base Score / Temporal Score

5.3


Summary

This advisory discloses a medium severity security vulnerability affecting License & User Deactivator for Jira when using License Optimizer for Jira Service Management since version 4.8.1.

Details

If you are using the License Optimizer functionality for Jira Service Management and need to assign a user that has currently no access, License Optimizer overrides the Jira /rest/api/latest/user/assignable/search response.

A missing authentication and authorization check enabled users not logged in or not having access to the specific JSM project in the REST request to retrieve users that can be assigned to an issue.

That JSON response contains usernames and email addresses, among a few other user properties:

  1. [
  2. {
  3. "self":"https://your.jira.com/rest/api/2/user?username=sd-agent",
  4. "key":"JIRAUSER10400",
  5. "name":"sd-agent",
  6. "emailAddress":"sd-agent@company.com",
  7. "avatarUrls":{
  8. "48x48":"https://www.gravatar.com/avatar/cdff8c40c13bc745cb3905efece28289?d=mm&s=48",
  9. "24x24":"https://www.gravatar.com/avatar/cdff8c40c13bc745cb3905efece28289?d=mm&s=24",
  10. "16x16":"https://www.gravatar.com/avatar/cdff8c40c13bc745cb3905efece28289?d=mm&s=16",
  11. "32x32":"https://www.gravatar.com/avatar/cdff8c40c13bc745cb3905efece28289?d=mm&s=32"
  12. },
  13. "displayName":"Service Desk Agent",
  14. "active":true,
  15. "deleted":false,
  16. "timeZone":"GMT",
  17. "locale":"en_US"
  18. }


Prerequisites

To retrieve a response like this as an unauthenticated user you still have to provide all the following parameters in the REST request:

  • a valid project key of a JSM project

  • a valid key of an issue in that project

  • a non-empty search term for the username parameter in the request that matches users who have the Service Desk Team project role



What You Need to Do

Please update the app to version 4.10.4 or future, later versions.

Support

If you have questions or concerns regarding this advisory, please raise a support request via our Support Portal.

This site uses cookies to deliver its service & to analyse traffic. By browsing this site, you accept the privacy policy.

Our Wiki uses cookies

We want to give you the best possible experience on our website. For this we use technically required cookies and, if you agree, cookies for analysis and marketing purposes. You can find more information about the cookies in our Privacy Policy. By tapping ‘Accept All,’ you consent to the use of these methods by us and third parties.

Necessary
Always Active
Analytics
Advertisement
Other