Uploaded image for project: 'Jira Data Center'
  1. Jira Data Center
  2. JRASERVER-72613

Anonymous users can view list of installed gadgets in Jira

XMLWordPrintable

      Issue Summary

      Endpoint "rest/config/1.0/directory" can be accessed anonymously. This page is an XML output that exposes the gadgets installed on the Jira instance.

      While there are not be any identifying information, user data, or anything else available to anonymous users if they hit this URL, a potential bad actor could better understand which add-ons customers have installed into theirJira instance and use that information to their advantage to attack them. This could be through malicious attacks that exploit those add-ons specifically, taking advantage of possible security vulnerabilities of those instances, or phishing-like attacks where the bad actor may impersonate vendors to get information from us.

      Steps to Reproduce

      Access <JIRA BASE URL>/rest/config/1.0/directory anonymously

      Expected Results

      The user gets redirected to log in

      Actual Results

      The page is shown:

       

      Notes
      This happens even if the public access is blocked using a flag in the dark features

      This page is used by the Jira gadget plugin so we don't recommend blocking it as it might cause some functionalities to fail in Jira, and this was not tested.

       

      Workaround

      Block the unauthenticated access to this particular URL */rest/config/1.0/directory at the network level. For example, block the URL from being accessed from the proxy side. Another option is doing it from Apache Tomcat: How to block access to a specific URL at Tomcat

              Unassigned Unassigned
              mshahlori Mahtab
              Votes:
              13 Vote for this issue
              Watchers:
              19 Start watching this issue

                Created:
                Updated:
                Resolved: