Loading...

XML

Word

Printable

Details

Type: Bug
Resolution: Fixed
Priority: Low
Fix Version/s: 7.13.19, 7.19.11, 8.6.0, 8.5.2
Affects Version/s: 7.16.0
Component/s: Server - Platform
Labels:

Support reference count:
7
Symptom Severity:
Severity 3 - Minor
UIS:
2
Bug Fix Policy:
View Atlassian Server bug fix policy

Description

Issue Summary

When accessing the REST API endpoints as an unauthenticated user an error page is displayed and this page contains the version information for Tomcat. This is a security concern and should not be disclosed.

Steps to Reproduce

As an unauthenticated user access the following REST endpoint:
- http(s)://<your-conflunece-url>/rest/menu/latest/admin

Expected Results

Error is displayed but the Tomcat version information is hidden.

Actual Results

Error is displayed as well as the Tomcat version details as per the screen-shot below:

Workaround

Alter the behavior of the error reporting by adding the following entry to your server.xml file:

<Valve className="org.apache.catalina.valves.ErrorReportValve" showReport="false" showServerInfo="false"/>

This will suppress the server information being displayed as part of the error report.

Note

By adding showReport="false" to the valve, Tomcat will only return the HTTP code as HTML.
Ref: Apache Tomcat 8 Configuration Reference > The Valve Component > Error_Report_Valve

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List

image-2020-03-04-15-09-34-969.png
39 kB
04/Mar/2020 2:09 PM

Issue Links

relates to

JRASERVER-73263 Tomcat should not disclose its own version to unauthenticated users

Gathering Impact

follows: VULN-680771 Loading...

links to

Original (master branch) ticket on AsecJ > VULN

Activity

People

Assignee:: Jeffery Xie

Reporter:: Ferdinand van Zyl (Inactive)

Votes:: 2 Vote for this issue

Watchers:: 10 Start watching this issue

Dates

Due:: 05/Sep/2022

Created:: 04/Mar/2020 2:24 PM

Updated:: 05/Oct/2023 10:47 AM

Resolved:: 11/Jul/2023 4:34 AM