-
Bug
-
Resolution: Fixed
-
Low (View bug fix roadmap)
-
8.2.4
-
8.02
-
Severity 3 - Minor
-
The API in Atlassian Jira Server and Data Center before version 8.6.0 allows authenticated remote attackers to determine project titles they do not have access to via an improper authorization vulnerability.
Note on fix
- The fix was tested internally before backporting it and no issues were detected.
- However, the fix changes the behavior of the REST API, therefore as a stability precaution we introduced a feature flag that disables the fix.
In case of any problems with the new behavior enable the com.atlassian.jira.projectvalidate.anonymous feature flag (feature flag documentation for reference).
![[JIRA Server (Bulldog)]](/images/icons/generic_link_16.png "[JIRA Server (Bulldog)]"){kind=icon}
[JRASERVER-70569] Improper authorization on project titles vulnerability in Jira - CVE-2019-20404
| Remote Link | New: This issue links to "JSEC-324 (Bulldog)" [ 568316 ] |
| Fixed in Long Term Support Release/s | New: [Download 8.5|https://confluence.atlassian.com/enterprise/atlassian-enterprise-releases-948227420.html] |
| Description | Original: The API in Atlassian Jira Server and Data Center before version 8.6.0 allows authenticated remote attackers to determine project titles they do not have access to via an improper authorization vulnerability. |
New:
The API in Atlassian Jira Server and Data Center before version 8.6.0 allows authenticated remote attackers to determine project titles they do not have access to via an improper authorization vulnerability.
h3. Note on fix * The fix was tested internally before backporting it and no issues were detected. (/) * However, the fix changes the behavior of the REST API, therefore as a stability precaution we introduced a feature flag that disables the fix. (i) In case of any problems with the new behavior enable the {{com.atlassian.jira.projectvalidate.anonymous}} feature flag ([feature flag documentation for reference|https://confluence.atlassian.com/jirakb/enable-dark-feature-in-jira-959286331.html]). |
| Fix Version/s | New: 8.5.11 [ 93490 ] |
| Labels | Original: advisory advisory-released basm bugbash2 cve-2019-20404 cvss-medium security | New: advisory advisory-released basm bugbash2 cve-2019-20404 cvss-medium lts-backport security |
This needs to be back ported to 8.5, Whats the point of an LTS if it isn't being fixed?
| Remote Link | New: This issue links to "Page (Confluence)" [ 509300 ] |
| Remote Link | New: This issue links to "Page (Confluence)" [ 500269 ] |
Please fix this bug in LTS 8.5
Our company uses regular scans for vulnerabilities and this bug was detected via Qualys (QID 13829) with a medium priority (which means I have to fix it within 21 days according to our policies).
We choosed the LTS version in order to have less stress with permanent updates and don't want to switch now to the current release of Jira in order to fix this. Information disclosure should be a reason for a backport.
Hi,
Thank you for all your comments and questions. We would like to inform that the fix we provided for this issue was backported to Jira 8.5 LTS version and will be released in Jira 8.5.11.
The fix was tested internally before backporting it and no issues were detected. However, the fix changes the behavior of the REST API, therefore as a stability precaution we introduced a feature flag that disables the fix. In case of any problems with the new behavior enable the com.atlassian.jira.projectvalidate.anonymous feature flag (feature flag documentation for reference).
If you notice any issues connected with the provided fix, please let us know in the comments below.
Cheers,
Paweł
Jira Server & DC