Security vulnerability in a Forge GET-method of Users REST API

Hello everyone,

Any Forge application can access the data of a current user if an app requests it on behalf of a user (asUser) by REST API. Thus, the application can even get the data that the current user has hidden, for example, e-mail.
Isn’t this a security vulnerability and a data privacy violation?
Leaving applications to request an user’s data only on behalf of the application (asApp) solves the issue.

In order to fetch any data the app needs to mention the scopes they will be using. In this case read:jira-user

asApp calls can be done without user consent but asUser calls require permission from the user.

When a user visits an app they will be met with the following consent screens


We intend to provide as much information as possible on these screens to ensure users are informed of the choice being made.

vuln cannot send data to any location

this message can change depending on the egress calls mentioned in the manifest file alongside the scopes.

If you are able to find a way to make these asUser calls without the user consent do let us know!

@Alex_Basatski Also, if you suspect you’ve found a security vulnerability in an Atlassian product, it’s better to report it through the instructions at https://www.atlassian.com/trust/security/report-a-vulnerability so we have time to fix it for all our customers before it’s exploited.

@JoshuaHwang thank you for your reply.
Let me ask one more question. Should each user of Jira give permission to the application to access data or only administrator can give permission?

An admin must give permission to install the app on the site.

Each user individually needs to give permission to the application to run asUser calls.

1 Like

@JoshuaHwang I understand, thank you.