Uploaded image for project: 'Jira Data Center'
  1. Jira Data Center
  2. JRASERVER-38101

Jira outputs a stack trace to the screen when an error is encountered

XMLWordPrintable

    • 6.02
    • 61
    • Severity 3 - Minor
    • 97
    • Hide
      Atlassian Update – 26 March 2021

      Hello everyone,

      We would like to inform you that our team has finished work on this issue. Solution to the described problem consists of:

      • Hiding the stacktrace for the anonymous and not-admin users.
      • Showing the stacktrace to all admins, with a property called "Show stack trace" to disable stacktrace visibility completely.

      Jira admins will still be able to troubleshoot problems raised by the end-users by using ‘Log’s referral number’ visible to them. This number is appended to logged stacktraces associated with errors encountered by users.

      This feature will be released in Jira 8.17.0. Due to the nature of the problem and the fact that it was not a bug, we do not plan to backport this change to previous versions of Jira.

      Thank you.
      Jira Server and Data Center Team

      Show
      Atlassian Update – 26 March 2021 Hello everyone, We would like to inform you that our team has finished work on this issue. Solution to the described problem consists of: Hiding the stacktrace for the anonymous and not-admin users. Showing the stacktrace to all admins, with a property called " Show stack trace " to disable stacktrace visibility completely. Jira admins will still be able to troubleshoot problems raised by the end-users by using ‘Log’s referral number’ visible to them. This number is appended to logged stacktraces associated with errors encountered by users. This feature will be released in Jira 8.17.0. Due to the nature of the problem and the fact that it was not a bug, we do not plan to backport this change to previous versions of Jira. Thank you. Jira Server and Data Center Team

      Problem

      When users are greeted by the error 500 page, they can click on the Request assistance link to expand and see the long stack trace of the error that occurs. The information is not useful to most of the end users but it's not possible to hide it from them.

      Suggestion

      To have an option to hide any technical information about an error to users or feature to set a generic error page to users.

      In some cases, no error is visible in the GUI but still can be captured by the browser's F12 tools. The bug fix should take this into account as well.

      Remarks

      The stack trace does not contain sensitive information about the application that cannot be gathered from the product's source code, which is available to any paying customer.

      Original description

      When an error condition is triggered by a user or black-box security scanner such as Acunetix, the system provides an appropriate error page. However, the error page includes the stack trace which the scanner will determine to be a potential Information Disclosure vulnerability because the stack trace may include information that can be used by an attacker to refine their attack or information gathering efforts.

      Reproduction (one example) can be performed using the following steps:

      1.) As a user, log in to Jira and nagivate to /charts by changing the url to https://<yourjiradomain>/charts

      2.) Click the "Request Assistance" link to view the stack trace

      This is an example request sent to Jira from Acunetix which produced the problem:

      GET /charts HTTP/1.1
      Pragma: no-cache
      Cache-Control: no-cache
      Cookie: JSESSIONID=9682349A6ADB9BDC7F9923C26E05C9BE;
      atlassian.xsrf.token=B50V-89VK-EG1H-RFHM|670c916d8653f5135e09afda57b558400b095218|lin
      Host: jira-test.ksc.nasa.gov
      Connection: Keep-alive
      Accept-Encoding: gzip,deflate
      User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko)
      Chrome/28.0.1500.63 Safari/537.36
      Acunetix-Product: WVS/9.0 (Acunetix Web Vulnerability Scanner - NORMAL)
      Acunetix-Scanning-agreement: Third Party Scanning PROHIBITED
      Acunetix-User-agreement: http://www.acunetix.com/wvs/disc.htm
      Accept: /

              15609d8ba305 Filip Nowak
              3c42dc5cab19 Gavin Roberts
              Votes:
              50 Vote for this issue
              Watchers:
              67 Start watching this issue

                Created:
                Updated:
                Resolved: