Details
-
Suggestion
-
Resolution: Unresolved
-
None
-
None
-
1
-
Description
NOTE: This suggestion is for JIRA Server. Using JIRA Cloud? See the corresponding suggestion.
In addition I already found this issue: https://jira.atlassian.com/browse/JRA-20505 but this was only for JIRA and the regarding footer.
Background
In general the full stack of Atlassian products is providing many meta information to anonymous users. That does not only affects the footer which can be adjusted manually for each product (See end-user-agreement, 6.4 Attribution) but also the information within html headers.
Providing those information even to anonymous users on any login mask could be abused to identify security flaw. So if we just remove the version out of the footer, the page it self still contains any needed information, e.g.:
<meta name="application-name" content="JIRA" data-name="jira" data-version="6.4.1">
Also all manuell changes are not fully prove for upcoming update and increase therefore the impact of maintenance. In short: Editing templates is just quick and dirty and could not be the best practice.
I suggest to give end users (in administration role) the opportunity hide all internal information for not logged in users. Such a system should only provide the login mask and in addition to the EUA 6.4 the "powered by Atlassian" term.
Benefit and Business value
Each product become more secure and more resistant to potential attacks. In my opinion this is helpful for all of your business customer who needs there Atlassian stack or single product online.
Attachments
Issue Links
- is related to
-
JRASERVER-70944 Make use of Secure Introspector in Velocity Templates - CVE-2019-20409
-
- Closed
-
- relates to
-
- Closed
