parent
ef14d419ab
commit
08a6342a99
|
@ -23,6 +23,15 @@ Inside a Jira instance **any user** (even **non-authenticated**) can **check its
|
|||
If a **non-authenticated** user have any **privilege**, this is a **vulnerability** (bounty?).\
|
||||
If an **authenticated** user have any **unexpected privilege**, this a a **vuln**.
|
||||
|
||||
Update: As of 18th September 2023 - the 'mypermissions' endpoint requires a 'permission' parameter with one of the following parameters
|
||||
[https://developer.atlassian.com/cloud/jira/platform/change-notice-get-my-permissions-requires-permissions-query-parameter/#change-notice---get-my-permissions-resource-will-require-a-permissions-query-parameter](https://developer.atlassian.com/cloud/jira/platform/change-notice-get-my-permissions-requires-permissions-query-parameter/#change-notice---get-my-permissions-resource-will-require-a-permissions-query-parameter)
|
||||
- BROWSE_PROJECTS
|
||||
- CREATE_ISSUES
|
||||
- ADMINISTER_PROJECTS
|
||||
|
||||
Example: `https://your-domain.atlassian.net/rest/api/2/mypermissions?permissions=BROWSE_PROJECTS,CREATE_ISSUES,ADMINISTER_PROJECTS`
|
||||
|
||||
|
||||
```bash
|
||||
#Check non-authenticated privileges
|
||||
curl https://jira.some.example.com/rest/api/2/mypermissions | jq | grep -iB6 '"havePermission": true'
|
||||
|
|
Loading…
Reference in New Issue