Details
-
Bug
-
Resolution: Not a bug
-
Low
-
None
-
6.0.7
-
None
-
6
-
Description
"Calling" this function returns data without any authentication required:
curl https://support.atlassian.com/rest/menu/latest/appswitcher | python -mjson.tool
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 787 0 787 0 0 531 0 --:--:-- 0:00:01 --:--:-- 640
[
{
"key": "home",
"label": "Atlassian JIRA",
"link": "https://jira.atlassian.com/",
"local": false,
"self": false
},
{
"key": "home",
"label": "Atlassian Support System",
"link": "https://support.atlassian.com/",
"local": false,
"self": true
},
{
"key": "home",
"label": "Ecosystem JIRA",
"link": "https://ecosystem.atlassian.net/",
"local": false,
"self": false
},
{
"key": "home",
"label": "PUG - JIRA (unused)",
"link": "https://pug.jira.com/",
"local": false,
"self": false
},
{
"key": "home",
"label": "Atlaseye",
"link": "https://atlaseye.atlassian.com/graph/confluence-git",
"local": false,
"self": false
},
{
"key": "home",
"label": "Bitbucket",
"link": "http://bitbucket.org/atlassian/",
"local": false,
"self": false
},
{
"key": "home",
"label": "CBAC Builds",
"link": "https://confluence-bamboo.atlassian.com/browse/CONFFUNC",
"local": false,
"self": false
}
]
Given that it reveals details about linked applications, this call should not return any data without a JIRA System Administrator username and password.