Loading...

XML

Word

Printable

Details

Type: Bug
Resolution: Fixed
Priority: Low
Fix Version/s: 8.10.0, 8.9.1, 8.11.0, 8.5.6
Affects Version/s: 7.10.2, 8.5.0
Component/s: Login
Labels:

Fixed in Long Term Support Release/s:

Download 8.5
Introduced in Version:
7.1
Symptom Severity:
Severity 2 - Major
Bug Fix Policy:
View Atlassian Server bug fix policy

Description

Users without session information should be pushed to the login page.
Affected versions of Atlassian Jira Server and Data Center allow remote attackers to view sensitive information via an Information Disclosure vulnerability in Login.

Affected versions:

version < 8.9.1

Fixed versions:

8.9.1
8.10.0
8.11.0

Notes:

If the fix is causing problems it can be disabled by adding to Jira a dark feature flag

jira.redirect.anonymous.404.errors.disabled

The fix is available in LTS versions - 7.13.15+ and 8.5.6+ but will be disabled. The fix can be enabled by adding to Jira a dark feature flag

jira.redirect.anonymous.404.errors.enabled

Both feature flags can be added by admin via site `<jira_directory>/secure/SiteDarkFeatures!default.jspa`

Attachments

Issue Links

causes

JRASERVER-71217 Jira Server mobile app cannot connect to Jira

Closed

mentioned in: Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...

(6 mentioned in)

Activity

People

Assignee:: Unassigned

Reporter:: Security Metrics Bot

Votes:: 0 Vote for this issue

Watchers:: 26 Start watching this issue

Dates

Created:: 12/Jun/2020 8:05 PM

Updated:: 01/Jun/2021 4:22 PM

Resolved:: 16/Jun/2020 7:30 PM