-
Bug
-
Resolution: Fixed
-
Low (View bug fix roadmap)
-
7.10.2, 8.5.0
-
7.1
-
Severity 2 - Major
-
Users without session information should be pushed to the login page.
Affected versions of Atlassian Jira Server and Data Center allow remote attackers to view sensitive information via an Information Disclosure vulnerability in Login.
Affected versions:
- version < 8.9.1
Fixed versions:
- 8.9.1
- 8.10.0
- 8.11.0
Notes:
If the fix is causing problems it can be disabled by adding to Jira a dark feature flag
jira.redirect.anonymous.404.errors.disabled
The fix is available in LTS versions - 7.13.15+ and 8.5.6+ but will be disabled. The fix can be enabled by adding to Jira a dark feature flag
jira.redirect.anonymous.404.errors.enabled
Both feature flags can be added by admin via site `<jira_directory>/secure/SiteDarkFeatures!default.jspa`
[JRASERVER-71175] Information disclosure in Login - CVE-2020-4028
Does 'Anonymous Access' need to be enabled to have this vulnerability?
Why this is not added in Enterprise Releases,I am seeing a similar behavior in Bitbucket as well.
We've updated to 8.5.6 and applied the setting below however it still shows up on our Qualys scans. I don't know for sure if it is just a FP because it is only checking version and not what the dark setting is actually doing. How can I confirm the dark setting and software update is actually working?
jira.redirect.anonymous.404.errors.enabled
Since it's the 404 page that's leaky, you can use a custom 404 page until you can upgrade as a workaround, yeah?
It sounds like it's the issue of the 404 in itself that's the disclosure. So any would have the same effect:
Various resources in Jira responded with a 404 instead of redirecting unauthenticated users to the login page, in some situations this may have allowed unauthorised attackers to determine if certain resources exist or not through an Information Disclosure vulnerability.
Workaround could be to intercept all 404s generated by Jira (from non-logged-in users if possible) and redirect them to the login page.
Since it's the 404 page that's leaky, you can use a custom 404 page until you can upgrade as a workaround, yeah?
This is pretty simple with a proxy such as nginx--use proxy_intercept_errors, and then direct to a plain 'ol 404.html page.
6913611e79d0 I checked with Mobile App team. They are aware of this issue and are working on it. They should solve the problem in the near future. No specific dates yet.
I can confirm that adding this dark feature flag allows the Jira mobile app to connect and login.
When are the Mobile App team changing the app to not require this?
I am excited to see if the bug fix will be backported at all. According to the bug fix policy this is done for critical bugs only.
Thank you for the update Pawel.
If the fix is causing problems it can be disabled by adding to Jira a dark feature flag
jira.redirect.anonymous.404.errors.disabled
The fix will be also available in LTS versions - 7.13.15 and 8.5.6 but will be disabled. The fix can be enabled by adding to Jira a dark feature flag
jira.redirect.anonymous.404.errors.enabled
Both feature flags can be added by admin via site `<jira_directory>/secure/SiteDarkFeatures!default.jspa`
Cheers, Paweł Przytarski
Jira Server Bugfix Team
From my point of view this affects also in the EA version 8.5.5 . Can you please confim this?
Is there any quick workaround?
EA 8.5.6 release is planned for which date?
I read the affected versions as anything before 8.9.1 so I would expect 8.5.4 to be affected for example
Can you also confirm if this only impacts 7.10.2, 8.5.0, per affected versions, or version < 8.9.1 as per the description
If so, does that means this is fixed in 8.5.1?
Is there a workaround for this, or any plan to back port to Enterprise releases - forcing an upgrade to the very latest version is a tough ask for many companies.
This appears to have broken the Jira Mobile app's ability to connect and login.
This is an independent assessment and you should evaluate its applicability to your own IT environment.
CVSS v3 score: 5.3 => Medium severity
Exploitability Metrics
| Attack Vector | Network |
|---|---|
| Attack Complexity | Low |
| Privileges Required | None |
| User Interaction | None |
Scope Metric
| Scope | Unchanged |
|---|
Impact Metrics
| Confidentiality | Low |
|---|---|
| Integrity | None |
| Availability | None |
https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
^^ That's a good question. We do not have that enabled in our instance.