[JRASERVER-70569] Improper authorization on project titles vulnerability in Jira - CVE-2019-20404 - Create and track feature requests for Atlassian products.

Type: Bug
Resolution: Fixed
Priority: Low (View bug fix roadmap)
Fix Version/s: 8.6.0, 8.7.0, 8.5.11
Affects Version/s: 8.2.4
Component/s: REST API
Labels:

Fixed in Long Term Support Release/s:

Download 8.5
Introduced in Version:
8.02
Symptom Severity:
Severity 3 - Minor
Bug Fix Policy:
View Atlassian Server bug fix policy

The API in Atlassian Jira Server and Data Center before version 8.6.0 allows authenticated remote attackers to determine project titles they do not have access to via an improper authorization vulnerability.

Note on fix

The fix was tested internally before backporting it and no issues were detected.
However, the fix changes the behavior of the REST API, therefore as a stability precaution we introduced a feature flag that disables the fix. In case of any problems with the new behavior enable the com.atlassian.jira.projectvalidate.anonymous feature flag (feature flag documentation for reference).

is cloned by: JSEC-324 You do not have permission to view this issue

mentioned in: Page Failed to load; Page Failed to load

Andriy Yakovlev [Atlassian] made changes - 21/Jul/2021 11:49 AM

Remote Link

New: This issue links to "JSEC-324 (Bulldog)" [ 568316 ]

set-jac-bot made changes - 08/Dec/2020 10:09 PM

Fixed in Long Term Support Release/s

New: [Download 8.5|https://confluence.atlassian.com/enterprise/atlassian-enterprise-releases-948227420.html]

Andriy Yakovlev [Atlassian] made changes - 08/Dec/2020 12:28 PM

Description

Original: The API in Atlassian Jira Server and Data Center before version 8.6.0 allows authenticated remote attackers to determine project titles they do not have access to via an improper authorization vulnerability.

New: The API in Atlassian Jira Server and Data Center before version 8.6.0 allows authenticated remote attackers to determine project titles they do not have access to via an improper authorization vulnerability.

h3. Note on fix
* The fix was tested internally before backporting it and no issues were detected. (/)
* However, the fix changes the behavior of the REST API, therefore as a stability precaution we introduced a feature flag that disables the fix. (i) In case of any problems with the new behavior enable the {{com.atlassian.jira.projectvalidate.anonymous}} feature flag ([feature flag documentation for reference|https://confluence.atlassian.com/jirakb/enable-dark-feature-in-jira-959286331.html]).

Pawel Cegla made changes - 08/Dec/2020 11:42 AM

Fix Version/s

New: 8.5.11 [ 93490 ]

Andriy Yakovlev [Atlassian] made changes - 03/Dec/2020 4:00 PM

Labels

Original: advisory advisory-released basm bugbash2 cve-2019-20404 cvss-medium security

New: advisory advisory-released basm bugbash2 cve-2019-20404 cvss-medium lts-backport security

Mark Lang made changes - 13/Oct/2020 1:44 PM

Remote Link

New: This issue links to "Page (Confluence)" [ 509300 ]

Mark Lang made changes - 20/Aug/2020 3:30 AM

Remote Link

New: This issue links to "Page (Confluence)" [ 500269 ]

Rene C. [Atlassian Support] made changes - 10/Feb/2020 7:09 AM

Link

New: This issue relates to JRASERVER-70520 [ JRASERVER-70520 ]

Erin Jensby made changes - 04/Feb/2020 4:37 PM

Security

Original: Atlassian Staff [ 10750 ]

Erin Jensby made changes - 04/Feb/2020 4:37 PM

Labels

Original: advisory advisory-to-release basm bugbash2 cve-2019-20404 cvss-medium security

New: advisory advisory-released basm bugbash2 cve-2019-20404 cvss-medium security

Assignee:: Unassigned

Reporter:: Security Metrics Bot

Affected customers:: 0 This affects my team

Watchers:: 15 Start watching this issue

Created:: 30/Jan/2020 9:25 PM

Updated:: 21/Jul/2021 11:49 AM

Resolved:: 30/Jan/2020 9:27 PM

Details

Description

Note on fix

Attachments

Issue Links

Forms

Activity

[JRASERVER-70569] Improper authorization on project titles vulnerability in Jira - CVE-2019-20404

People

Dates