-
Bug
-
Resolution: Fixed
-
Low (View bug fix roadmap)
-
7.10.2, 8.5.0
-
7.1
-
Severity 2 - Major
-
Users without session information should be pushed to the login page.
Affected versions of Atlassian Jira Server and Data Center allow remote attackers to view sensitive information via an Information Disclosure vulnerability in Login.
Affected versions:
- version < 8.9.1
Fixed versions:
- 8.9.1
- 8.10.0
- 8.11.0
Notes:
If the fix is causing problems it can be disabled by adding to Jira a dark feature flag
jira.redirect.anonymous.404.errors.disabled
The fix is available in LTS versions - 7.13.15+ and 8.5.6+ but will be disabled. The fix can be enabled by adding to Jira a dark feature flag
jira.redirect.anonymous.404.errors.enabled
Both feature flags can be added by admin via site `<jira_directory>/secure/SiteDarkFeatures!default.jspa`
[JRASERVER-71175] Information disclosure in Login - CVE-2020-4028
Does 'Anonymous Access' need to be enabled to have this vulnerability?
Why this is not added in Enterprise Releases,I am seeing a similar behavior in Bitbucket as well.
We've updated to 8.5.6 and applied the setting below however it still shows up on our Qualys scans. I don't know for sure if it is just a FP because it is only checking version and not what the dark setting is actually doing. How can I confirm the dark setting and software update is actually working?
jira.redirect.anonymous.404.errors.enabled
Since it's the 404 page that's leaky, you can use a custom 404 page until you can upgrade as a workaround, yeah?
It sounds like it's the issue of the 404 in itself that's the disclosure. So any would have the same effect:
Various resources in Jira responded with a 404 instead of redirecting unauthenticated users to the login page, in some situations this may have allowed unauthorised attackers to determine if certain resources exist or not through an Information Disclosure vulnerability.
Workaround could be to intercept all 404s generated by Jira (from non-logged-in users if possible) and redirect them to the login page.
Since it's the 404 page that's leaky, you can use a custom 404 page until you can upgrade as a workaround, yeah?
This is pretty simple with a proxy such as nginx--use proxy_intercept_errors, and then direct to a plain 'ol 404.html page.
6913611e79d0 I checked with Mobile App team. They are aware of this issue and are working on it. They should solve the problem in the near future. No specific dates yet.
I can confirm that adding this dark feature flag allows the Jira mobile app to connect and login.
When are the Mobile App team changing the app to not require this?
I am excited to see if the bug fix will be backported at all. According to the bug fix policy this is done for critical bugs only.
Thank you for the update Pawel.
^^ That's a good question. We do not have that enabled in our instance.