-
Bug
-
Resolution: Fixed
-
Low (View bug fix roadmap)
-
8.5.5, 8.10.0, 8.9.1, 8.20.1, 9.12.12, 10.1.1
-
8.05
-
16
-
Severity 3 - Minor
-
3
-
Issue Summary
Browsing serverInfo anonymously gives version number information
Steps to Reproduce
- curl https://<jira-server>/rest/api/2/serverInfo
- navigate to https://<jira-server>/rest/api/2/serverInfo in a browser
Expected Results
Fail to connect
Actual Results
The below exception is thrown in the xxxxxxx.log file:
baseUrl "https://ocean.agilecraft.xyz" version "8.5.5" versionNumbers 0 8 1 5 2 5 deploymentType "Server" buildNumber 805005 buildDate "2020-06-05T00:00:00.000+0000" databaseBuildNumber 805005 scmInfo "a6982cff65627fb3fa50669b736095827f0ea0a7" serverTitle "JIRA"
Workaround
Possible API gateway/proxy setup or whitelist IPs that are trusted
- relates to
-
-
- Closed
-
-
JRASERVER-62282 Ability to disable/hide the REST endpoint for serverInfo
- Closed
| Form Name | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
[JRASERVER-71317] Browsing serverInfo anonymously gives version number information
Is this really a bug though? We rely on this information in our apps to determine which logic to use to connect to different versions of Jira DC? This also seems to be broken in 10.3, as it always throws a 401 when trying to access this anonymously. The same endpoint can also be accessed in Jira Cloud anonymously.
Making it non-anonymous is annoying but good because it will slow down scripts that are scanning networks looking for vulnerable versions of Jira. So, I guess this should be done