Uploaded image for project: 'Jira Data Center'
  1. Jira Data Center
  2. JRASERVER-73593

A user can view the "createmeta" information of private projects

XMLWordPrintable

    • 5.3
    • Medium

      Affected versions of Atlassian Jira Server and Data Center allow authenticated remote attackers without permission to view a private project to view the project's issue creation meta information via a Broken Access Control vulnerability in the /issue/createmeta endpoint.

       

      The affected versions are before version 8.22.0.,  versions prior to 8.20.12

       

      Affected versions:

      • version < 8.22.0
      • versions < 8.20.12
      • versions < 8.13.25

      Fixed versions:

      • 8.22.0  
      • 8.20.12
      • 8.13.25

      Please follow this Ticket: JRASERVER-74131 to track the backport request to 8.20.x. For security purposes, this ticket is internal for now.

              Unassigned Unassigned
              security-metrics-bot Security Metrics Bot
              Votes:
              0 Vote for this issue
              Watchers:
              54 Start watching this issue

                Created:
                Updated:
                Resolved: