Check Permissions as Anonymous User

Category: [Info Disclosure]

[CG] this module hits /rest/api/2/mypermissions endpoint and looks for "havePermission": true. Anonymous can reach this url but if configured correctly all permissions will say "havePermission": False.

module name: check_anonymous_permissions

url: /rest/api/2/mypermissions

- Running Vuln Checks
[INFO] Running single module: check_anonymous_permissions

INFO: Checking for Unauthorized Access to MyPermissions
[Testing URL]: http://JIRASERVER/rest/api/2/mypermissions

+ Vulnerable: The following permissions have 'havePermission': true [Manually Inspect]
  - ID: -1
    Key: MANAGE_SPRINTS_PERMISSION
    Name: Manage Sprints
    Description: Ability to manage sprints.

Not Vuln:

INFO: Checking for Unauthorized Access to MyPermissions
[Testing URL]: http://JIRASERVER/rest/api/2/mypermissions

[-] Not Vulnerable: No permissions with 'havePermission': true found