[JRASERVER-71175] Information disclosure in Login - CVE-2020-4028 - Create and track feature requests for Atlassian products.

Type: Bug
Resolution: Fixed
Priority: Low (View bug fix roadmap)
Fix Version/s: 8.10.0, 8.9.1, 8.11.0, 8.5.6
Affects Version/s: 7.10.2, 8.5.0
Component/s: Login
Labels:

Fixed in Long Term Support Release/s:

Download 8.5
Introduced in Version:
7.1
Symptom Severity:
Severity 2 - Major
Bug Fix Policy:
View Atlassian Server bug fix policy

Users without session information should be pushed to the login page.
Affected versions of Atlassian Jira Server and Data Center allow remote attackers to view sensitive information via an Information Disclosure vulnerability in Login.

Affected versions:

version < 8.9.1

Fixed versions:

8.9.1
8.10.0
8.11.0

Notes:

If the fix is causing problems it can be disabled by adding to Jira a dark feature flag

jira.redirect.anonymous.404.errors.disabled

The fix is available in LTS versions - 7.13.15+ and 8.5.6+ but will be disabled. The fix can be enabled by adding to Jira a dark feature flag

jira.redirect.anonymous.404.errors.enabled

Both feature flags can be added by admin via site `<jira_directory>/secure/SiteDarkFeatures!default.jspa`

causes

JRASERVER-71217 Jira Server mobile app cannot connect to Jira

Closed

mentioned in: Page Failed to load; Page Failed to load; Page Failed to load; Page Failed to load; Page Loading...; Page Loading...; Page Loading...; Page Loading...

(4 mentioned in)

Form Name

Assignee:: Unassigned

Reporter:: Security Metrics Bot

Affected customers:: 0 This affects my team

Watchers:: 26 Start watching this issue

Created:: 12/Jun/2020 8:05 PM

Updated:: 27/Jan/2025 8:38 PM

Resolved:: 16/Jun/2020 7:30 PM

Details

Description

Attachments

Issue Links

Forms

Activity

[JRASERVER-71175] Information disclosure in Login - CVE-2020-4028

People

Dates