The API in Atlassian Jira Server and Data Center before version 8.6.0 allows authenticated remote attackers to determine project titles they do not have access to via an improper authorization vulnerability.

Note on fix

• The fix was tested internally before backporting it and no issues were detected.
• However, the fix changes the behavior of the REST API, therefore as a stability precaution we introduced a feature flag that disables the fix. In case of any problems with the new behavior enable the com.atlassian.jira.projectvalidate.anonymous feature flag (feature flag documentation for reference).