[%22Issue] Improper authorization on project titles vulnerability in Jira - CVE-2019-20404 - Create and track feature requests for Atlassian products.

Type: Bug
Resolution: Fixed
Priority: Low
Fix Version/s: 8.6.0, 8.7.0, 8.5.11
Affects Version/s: 8.2.4
Component/s: REST API
Labels:

Fixed in Long Term Support Release/s:

Download 8.5
Introduced in Version:
8.02
Symptom Severity:
Severity 3 - Minor
Bug Fix Policy:
View Atlassian Server bug fix policy

The API in Atlassian Jira Server and Data Center before version 8.6.0 allows authenticated remote attackers to determine project titles they do not have access to via an improper authorization vulnerability.

Note on fix

The fix was tested internally before backporting it and no issues were detected.
However, the fix changes the behavior of the REST API, therefore as a stability precaution we introduced a feature flag that disables the fix. In case of any problems with the new behavior enable the com.atlassian.jira.projectvalidate.anonymous feature flag (feature flag documentation for reference).

is cloned by: JSEC-324 Loading...

mentioned in: Page Loading...; Page Loading...

No work has yet been logged on this issue.

Assignee:: Unassigned

Reporter:: Security Metrics Bot

Affected customers:: 0 This affects my team

Watchers:: 15 Start watching this issue

Created:: 30/Jan/2020 9:25 PM

Updated:: 21/Jul/2021 11:49 AM

Resolved:: 30/Jan/2020 9:27 PM

Details

Description

Note on fix

Attachments

Issue Links

Forms

Activity

[JRASERVER-70569] Improper authorization on project titles vulnerability in Jira - CVE-2019-20404

People

Dates