JIRA
If you are interested in hacking career and hack the unhackable - we are hiring! (fluent polish written and spoken required).
Check Privileges
In Jira, privileges can be checked by any user, authenticated or not, through the endpoints /rest/api/2/mypermissions
or /rest/api/3/mypermissions
. These endpoints reveal the user's current privileges. A notable concern arises when non-authenticated users hold privileges, indicating a security vulnerability that could potentially be eligible for a bounty. Similarly, unexpected privileges for authenticated users also highlight a vulnerability.
An important update was made on 1st February 2019, requiring the 'mypermissions' endpoint to include a 'permission' parameter. This requirement aims to enhance security by specifying the privileges being queried: check it here
ADD_COMMENTS
ADMINISTER
ADMINISTER_PROJECTS
ASSIGNABLE_USER
ASSIGN_ISSUES
BROWSE_PROJECTS
BULK_CHANGE
CLOSE_ISSUES
CREATE_ATTACHMENTS
CREATE_ISSUES
CREATE_PROJECT
CREATE_SHARED_OBJECTS
DELETE_ALL_ATTACHMENTS
DELETE_ALL_COMMENTS
DELETE_ALL_WORKLOGS
DELETE_ISSUES
DELETE_OWN_ATTACHMENTS
DELETE_OWN_COMMENTS
DELETE_OWN_WORKLOGS
EDIT_ALL_COMMENTS
EDIT_ALL_WORKLOGS
EDIT_ISSUES
EDIT_OWN_COMMENTS
EDIT_OWN_WORKLOGS
LINK_ISSUES
MANAGE_GROUP_FILTER_SUBSCRIPTIONS
MANAGE_SPRINTS_PERMISSION
MANAGE_WATCHERS
MODIFY_REPORTER
MOVE_ISSUES
RESOLVE_ISSUES
SCHEDULE_ISSUES
SET_ISSUE_SECURITY
SYSTEM_ADMIN
TRANSITION_ISSUES
USER_PICKER
VIEW_AGGREGATED_DATA
VIEW_DEV_TOOLS
VIEW_READONLY_WORKFLOW
VIEW_VOTERS_AND_WATCHERS
WORK_ON_ISSUES
Example: https://your-domain.atlassian.net/rest/api/2/mypermissions?permissions=BROWSE_PROJECTS,CREATE_ISSUES,ADMINISTER_PROJECTS
Automated enumeration
If you are interested in hacking career and hack the unhackable - we are hiring! (fluent polish written and spoken required).
Last updated