Summary

Affected versions of Atlassian Jira Server and Data Center allow remote, unauthenticated attackers to view custom field names and custom SLA names via an Information Disclosure vulnerability in the /secure/QueryComponent!Default.jspa endpoint.

Affected versions:

• version < 8.5.8
• 8.6.0 ≤ version < 8.11.1

Fixed versions:

• 8.5.8
• 8.11.1 and above, including 8.13.x

Note on fix

We've been unable to fully fix this issue due to short SLA and possible performance problems that fix could introduce. Please check the workaround section for mitigation steps.

Workaround - Fix Versions

To workaround this bug on Jira versions listed in "fixed in versions" above, one of the two techniques can be used:

• Add the dark feature "public.access.disabled" (see How to control anonymous user access in a public Jira instance)
  • In the fix versions above, the endpoint will now return 401 for anonymous users.
• Add the newly added dark feature "com.atlassian.jira.plugin.issuenavigator.anonymousPreventCfData.enabled"
  • 200 will be returned, however the output will filter out all custom fields from response only when not authenticated
  • The side effect of turning on "com.atlassian.jira.plugin.issuenavigator.anonymousPreventCfData.enabled" flag is that in basic mode of issue search (https://confluence.atlassian.com/jirasoftwareserver/basic-searching-939938708.html) there won't be any custom fields available for anonymous uses + there should be warning presented that "You’re not logged in, so you can’t use custom fields in basic search. Log in or switch to advanced search.".
    Advanced mode should work fine (https://confluence.atlassian.com/jirasoftwareserver/advanced-searching-939938733.html).

Workaround - Non-fix versions

If you are running Jira that is below one of the "fixed in versions" above and should not be open to unauthenticated users, you may block the affected endpoint from anonymous users by using the URL rewrite system.

First, add the public.access.disabled dark feature as above. This blocks access to the Jira issue navigator when unauthenticated.

Then, on each node, block the QueryComponent endpoints:

1. Edit the file JIRA_INSTALL/atlassian-jira/WEB-INF/urlrewrite.xml
2. Insert a new rule, directly underneath the last </rule> line (but before the </urlrewrite> line):

       <rule>
           <from>(?s)/QueryComponent!.*\.jspa</from>
           <condition type="session-attribute" name="seraph_defaultauthenticator_user" operator="notequal">.+</condition>
           <set type="status">403</set>
           <to>null</to>
       </rule>
   

3. Restart the node

If for whatever reason you have scripted basic authentication calls to these endpoints (EG, python/curl requests), they will all be blocked, authenticated or not.