2020-07-15 15:43:14 +00:00
# JIRA
### Check Privileges
2021-10-18 11:21:18 +00:00
Inside a Jira instance **any user** (even **non-authenticated** ) can **check its privileges** in `/rest/api/2/mypermissions` or `/rest/api/3/mypermissions` . These endpoints will return your current privileges.\
2021-11-30 13:55:54 +00:00
If a **non-authenticated** user have any **privilege** , this is a **vulnerability ** (bounty?).\
If an **authenticated **user have any **unexpected privilege** , this a a **vuln** .
2020-07-15 15:43:14 +00:00
```bash
#Check non-authenticated privileges
curl https://jira.some.example.com/rest/api/2/mypermissions | jq | grep -iB6 '"havePermission": true'
```
2021-07-26 11:23:34 +00:00
### Automated enumeration
2020-07-15 15:43:14 +00:00
2021-07-26 11:23:34 +00:00
* [https://github.com/0x48piraj/Jiraffe ](https://github.com/0x48piraj/Jiraffe )
2021-11-30 13:55:54 +00:00
* [https://github.com/bcoles/jira_scan ](https://github.com/bcoles/jira_scan )
