Uploaded image for project: 'Jira Server and Data Center'
  1. Jira Server and Data Center
  2. JRASERVER-71536

Sensitive data exposure via /secure/QueryComponent!Default.jspa endpoint - CVE-2020-14179

    XMLWordPrintable

    Details

      Description

      Summary

      Affected versions of Atlassian Jira Server and Data Center allow remote, unauthenticated attackers to view custom field names and custom SLA names via an Information Disclosure vulnerability in the /secure/QueryComponent!Default.jspa endpoint.

      Affected versions:

      • version < 8.5.8
      • 8.6.0 ≤ version < 8.11.1

      Fixed versions:

      • 8.5.8
      • 8.11.1 and above, including 8.13.x

      Note on fix

      We've been unable to fully fix this issue due to short SLA and possible performance problems that fix could introduce. Please check the workaround section for mitigation steps.

      Workaround - Fix Versions

      To workaround this bug on Jira versions listed in "fixed in versions" above, one of the two techniques can be used:

      Workaround - Non-fix versions

      If you are running Jira that is below one of the "fixed in versions" above and should not be open to unauthenticated users, you may block the affected endpoint from anonymous users by using the URL rewrite system.

      First, add the public.access.disabled dark feature as above. This blocks access to the Jira issue navigator when unauthenticated.

      Then, on each node, block the QueryComponent endpoints:

      1. Edit the file JIRA_INSTALL/atlassian-jira/WEB-INF/urlrewrite.xml
      2. Insert a new rule, directly underneath the last </rule> line (but before the </urlrewrite> line):
            <rule>
                <from>(?s)/QueryComponent!.*\.jspa</from>
                <condition type="session-attribute" name="seraph_defaultauthenticator_user" operator="notequal">.+</condition>
                <set type="status">403</set>
                <to>null</to>
            </rule>
        
      3. Restart the node

      If for whatever reason you have scripted basic authentication calls to these endpoints (EG, python/curl requests), they will all be blocked, authenticated or not.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              Unassigned Unassigned
              Reporter:
              security-metrics-bot Security Metrics Bot
              Votes:
              0 Vote for this issue
              Watchers:
              49 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: