Uploaded image for project: 'Jira Server and Data Center'
  1. Jira Server and Data Center
  2. JRASERVER-71175

Information disclosure in Login - CVE-2020-4028

    XMLWordPrintable

    Details

      Description

      Users without session information should be pushed to the login page.
      Affected versions of Atlassian Jira Server and Data Center allow remote attackers to view sensitive information via an Information Disclosure vulnerability in Login.

      Affected versions:

      • version < 8.9.1

      Fixed versions:

      • 8.9.1
      • 8.10.0
      • 8.11.0

      Notes:

      If the fix is causing problems it can be disabled by adding to Jira a dark feature flag

      jira.redirect.anonymous.404.errors.disabled
      

      The fix is available in LTS versions - 7.13.15+ and 8.5.6+ but will be disabled. The fix can be enabled by adding to Jira a dark feature flag

      jira.redirect.anonymous.404.errors.enabled

      Both feature flags can be added by admin via site `<jira_directory>/secure/SiteDarkFeatures!default.jspa`

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              Unassigned
              Reporter:
              security-metrics-bot Security Metrics Bot
              Votes:
              0 Vote for this issue
              Watchers:
              17 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: