On a JIRA instance that requires you to be signed in to view tickets,
when navigating to a ticket using the URL (JIRA URL/browse/(project key)-(ticket number), if the issue exists, the user will be redirected to a sign in page, where as if the ticket does not exist, an 'issue does not exist' page is displayed.

While knowing if an issue exists or not is not useful to an attacker, knowing if a project exists may be, for example, to a competitor to an organisation that uses JIRA.

An example where this could be a problem can be taken from an incident a while back where the Valve JIRA was made open, and people found projects named L4D3 and HL3 - codenames for two projects that the public is eager to see released.

It would be trivial to create a script which enumerates all 1-4 character project keys matching pattern [0-9A-F]+ and browses for issue (project key)-1 for each, to see if it existed. At one request a second (which is quite slow, as they could be done asynchronously, and should take less time), all 1,727,604 requests would only take 11.5 days.

The suggested fix is to require login regardless of whether the issue exists or not.