Uploaded image for project: 'Jira Data Center'
  1. Jira Data Center
  2. JRASERVER-71536

Sensitive data exposure via /secure/QueryComponent!Default.jspa endpoint - CVE-2020-14179

XMLWordPrintable

      Summary

      Affected versions of Atlassian Jira Server and Data Center allow remote, unauthenticated attackers to view custom field names and custom SLA names via an Information Disclosure vulnerability in the /secure/QueryComponent!Default.jspa endpoint.

      Affected versions:

      • version < 8.5.8
      • 8.6.0 ≤ version < 8.11.1

      Fixed versions:

      • 8.5.8
      • 8.11.1 and above, including 8.13.x

      Note on fix

      We've been unable to fully fix this issue due to short SLA and possible performance problems that fix could introduce. Please check the workaround section for mitigation steps.

      Workaround - Fix Versions

      To workaround this bug on Jira versions listed in "fixed in versions" above, one of the two techniques can be used:

      Workaround - Non-fix versions

      If you are running Jira that is below one of the "fixed in versions" above and should not be open to unauthenticated users, you may block the affected endpoint from anonymous users by using the URL rewrite system.

      First, add the public.access.disabled dark feature as above. This blocks access to the Jira issue navigator when unauthenticated.

      Then, on each node, block the QueryComponent endpoints:

      1. Edit the file JIRA_INSTALL/atlassian-jira/WEB-INF/urlrewrite.xml
      2. Insert a new rule, directly underneath the last </rule> line (but before the </urlrewrite> line):
            <rule>
                <from>(?s)/QueryComponent!.*\.jspa</from>
                <condition type="session-attribute" name="seraph_defaultauthenticator_user" operator="notequal">.+</condition>
                <set type="status">403</set>
                <to>null</to>
            </rule>
        
      3. Restart the node

      If for whatever reason you have scripted basic authentication calls to these endpoints (EG, python/curl requests), they will all be blocked, authenticated or not.

              Unassigned Unassigned
              security-metrics-bot Security Metrics Bot
              Votes:
              12 Vote for this issue
              Watchers:
              106 Start watching this issue

                Created:
                Updated:
                Resolved: