Details
-
Bug
-
Resolution: Not a bug
-
Low
-
None
-
6.0.7
-
None
-
6
-
Description
"Calling" this function returns data without any authentication required:
curl https://support.atlassian.com/rest/menu/latest/appswitcher | python -mjson.tool % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 787 0 787 0 0 531 0 --:--:-- 0:00:01 --:--:-- 640 [ { "key": "home", "label": "Atlassian JIRA", "link": "https://jira.atlassian.com/", "local": false, "self": false }, { "key": "home", "label": "Atlassian Support System", "link": "https://support.atlassian.com/", "local": false, "self": true }, { "key": "home", "label": "Ecosystem JIRA", "link": "https://ecosystem.atlassian.net/", "local": false, "self": false }, { "key": "home", "label": "PUG - JIRA (unused)", "link": "https://pug.jira.com/", "local": false, "self": false }, { "key": "home", "label": "Atlaseye", "link": "https://atlaseye.atlassian.com/graph/confluence-git", "local": false, "self": false }, { "key": "home", "label": "Bitbucket", "link": "http://bitbucket.org/atlassian/", "local": false, "self": false }, { "key": "home", "label": "CBAC Builds", "link": "https://confluence-bamboo.atlassian.com/browse/CONFFUNC", "local": false, "self": false } ]
Given that it reveals details about linked applications, this call should not return any data without a JIRA System Administrator username and password.