Jira Cloud allows remote, unauthenticated attackers to view custom field names and custom SLA names via an Information Disclosure vulnerability in the /secure/QueryComponent!Default.jspa endpoint.
- Access the Jira Cloud URL: https://hostname.atlassian.net/secure/QueryComponent!Default.jspa as anonymous user without logging in.
The endpoint should not expose custom field names etc.
It shows custom field names and custom SLA names.
We have tested this issue in Jira Cloud and have found that the issue described in the ticket is not reproducible. If an unauthorised user tries to access the URL, the user can see default Jira fields - that are the same for any instance, not custom fields. Thus no sensitive information gets exposed & we have closed this ticket.