Uploaded image for project: 'Jira Data Center'
  1. Jira Data Center
  2. JRASERVER-70569

Improper authorization on project titles vulnerability in Jira - CVE-2019-20404

XMLWordPrintable

      The API in Atlassian Jira Server and Data Center before version 8.6.0 allows authenticated remote attackers to determine project titles they do not have access to via an improper authorization vulnerability.

      Note on fix

      • The fix was tested internally before backporting it and no issues were detected.
      • However, the fix changes the behavior of the REST API, therefore as a stability precaution we introduced a feature flag that disables the fix. In case of any problems with the new behavior enable the com.atlassian.jira.projectvalidate.anonymous feature flag (feature flag documentation for reference).

            Unassigned Unassigned
            security-metrics-bot Security Metrics Bot
            Votes:
            0 Vote for this issue
            Watchers:
            15 Start watching this issue

              Created:
              Updated:
              Resolved: