Details
-
Bug
-
Resolution: Fixed
-
Highest
-
5.2.4
-
5.02
-
4.3
-
Description
Summary of The Bug
By browsing to the following URL path user would be able to download any files under <JIRA_Install_Dir>/atlassian-jira/WEB-INF/...
<Server Base URL>/s/1519/3/1.0/_/WEB-INF/...
The above URL will be accessible by any users including anonymous even to an instance that does not allow anonymous access
Notes
This issue is not reproducible in IE9 (IE8 leads to the same issue)
Attachments
Issue Links
- is cloned from
-
CONFSERVER-27693 Default application configuration files are available for download
- Closed
- is related to
-
FE-4449 Default application files available for download via the application server.
- Closed
- Testing discovered
-
JRASERVER-31373 NoOpServlet should serve the standard 404 page
- Closed
- incorporates
-
JRADEV-18148 Loading...
- links to
- relates to
-
PLUGWEB-24 Loading...
- was cloned as
-
BDEV-2267 Loading...