Information disclosure in the REST API

XMLWordPrintable

    • Severity 3 - Minor

      Jira reports the 404 not-found earlier than the 401 not-authorized. This discloses the (non-)existence of a specific issue numbers to unauthorized users. While this isn't a huge leak, this could come in useful with social engineering.

      Proof of concept: Both of the calls below are unauthenticated, and should report a 401 status. Instead, the some report a 404 status.

      curl -v https://cloudvps.atlassian.net/rest/api/latest/issue/OS-0
      curl -v https://cloudvps.atlassian.net/rest/api/latest/issue/OS-2
      curl -v https://cloudvps.atlassian.net/rest/api/2/attachment/10201
      curl -v https://cloudvps.atlassian.net/rest/api/2/attachment/10200
      curl -v https://cloudvps.atlassian.net/rest/api/2/comment/10372/properties
      curl -v https://cloudvps.atlassian.net/rest/api/2/comment/103720/properties
      

              Assignee:
              Unassigned
              Reporter:
              Koert van der Veer
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated:
                Resolved: