-
Type:
Bug
-
Resolution: Obsolete
-
Priority:
Low
-
Component/s: Ecosystem
-
Severity 3 - Minor
Jira reports the 404 not-found earlier than the 401 not-authorized. This discloses the (non-)existence of a specific issue numbers to unauthorized users. While this isn't a huge leak, this could come in useful with social engineering.
Proof of concept: Both of the calls below are unauthenticated, and should report a 401 status. Instead, the some report a 404 status.
curl -v https://cloudvps.atlassian.net/rest/api/latest/issue/OS-0 curl -v https://cloudvps.atlassian.net/rest/api/latest/issue/OS-2 curl -v https://cloudvps.atlassian.net/rest/api/2/attachment/10201 curl -v https://cloudvps.atlassian.net/rest/api/2/attachment/10200 curl -v https://cloudvps.atlassian.net/rest/api/2/comment/10372/properties curl -v https://cloudvps.atlassian.net/rest/api/2/comment/103720/properties
- is related to
-
JRACLOUD-65970 "Issue Does Not Exist" page leaks information to non-logged in users
-
- Closed
-