-
Bug
-
Resolution: Fixed
-
Low (View bug fix roadmap)
-
7.10.2, 8.5.0
-
7.1
-
Severity 2 - Major
-
Users without session information should be pushed to the login page.
Affected versions of Atlassian Jira Server and Data Center allow remote attackers to view sensitive information via an Information Disclosure vulnerability in Login.
Affected versions:
- version < 8.9.1
Fixed versions:
- 8.9.1
- 8.10.0
- 8.11.0
Notes:
If the fix is causing problems it can be disabled by adding to Jira a dark feature flag
jira.redirect.anonymous.404.errors.disabled
The fix is available in LTS versions - 7.13.15+ and 8.5.6+ but will be disabled. The fix can be enabled by adding to Jira a dark feature flag
jira.redirect.anonymous.404.errors.enabled
Both feature flags can be added by admin via site `<jira_directory>/secure/SiteDarkFeatures!default.jspa`
[JRASERVER-71175] Information disclosure in Login - CVE-2020-4028
| Remote Link | Original: This issue links to "Page (Atlassian Documentation)" [ 492182 ] |
| Remote Link | Original: This issue links to "Page (Atlassian Documentation)" [ 492183 ] |
| Remote Link | New: This issue links to "Page (Confluence)" [ 556365 ] |
| Fixed in Long Term Support Release/s | New: [Download 8.5|https://confluence.atlassian.com/enterprise/atlassian-enterprise-releases-948227420.html] |
| Fix Version/s | New: 8.5.6 [ 92104 ] |
| Remote Link | New: This issue links to "Page (Confluence)" [ 509112 ] |
| Remote Link | New: This issue links to "Page (Confluence)" [ 507771 ] |
| Remote Link | New: This issue links to "Page (Confluence)" [ 500693 ] |
| Remote Link | New: This issue links to "Page (Confluence)" [ 500390 ] |
| Remote Link | New: This issue links to "Page (Confluence)" [ 497105 ] |