Loading...

XML

Word

Printable

Type: Bug
Resolution: Fixed
Priority: Low
Fix Version/s: 10.2.0
Affects Version/s: 7.6.15, 8.5.4, 7.13.13, 8.8.0, 9.4.14
Component/s: Security
Labels:

Introduced in Version:
7.06
Support reference count:
26
Symptom Severity:
Severity 3 - Minor
UIS:
7
Bug Fix Policy:
View Atlassian Server bug fix policy

Issue Summary

"About Jira" page can be accessed anonymously. This can expose the Jira application versions. Some customers might want to prevent this information from being available as it could be used to target other vulnerabilities specific to the version.

Steps to Reproduce

Access <JIRA BASE URL>/secure/AboutPage.jspa anonymously

Expected Results

The user gets redirected to log in

Actual Results

The page is shown:

Notes
This happens even if the public access is blocked using a flag in the dark features

Workaround

Create a block the URL from being accessed from the proxy side. Another option is doing it from Apache Tomcat: How to block access to a specific URL at Tomcat

- - Sort By Name
  - Sort By Date
  - Ascending
  - Descending
  - Thumbnails
  - List

image-2020-04-29-16-59-12-723.png
102 kB
29/Apr/2020 8:59 AM

is related to

JRASERVER-71317 Browsing serverInfo anonymously gives version number information

Gathering Impact

JRASERVER-62282 Ability to disable/hide the REST endpoint for serverInfo

Gathering Interest

mentioned in: Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...

relates to: VULN-164510 Loading...; RM-22091 Loading...

(2 mentioned in, 2 relates to)

Assignee:: Jakub Sildatk

Reporter:: Rene C. [Atlassian Support]

Votes:: 32 Vote for this issue

Watchers:: 38 Start watching this issue

Created:: 29/Apr/2020 9:16 AM

Updated:: 21/Nov/2024 2:55 PM

Resolved:: 20/Nov/2024 3:50 PM

Details

Description

Issue Summary

Steps to Reproduce

Expected Results

Actual Results

Workaround

Attachments

Attachments

Issue Links

Forms

Activity

People

Dates