-
Public Security Vulnerability
-
Resolution: Fixed
-
Low (View bug fix roadmap)
-
8.13.21, 8.20.9, 8.22.3
-
5.3
-
Medium
Affected versions of Atlassian Jira Server and Data Center allows an Un-Authenticated attacker to view Project categories, status categories, issue link types, priorities, and resolutions via an Information Disclosure vulnerability on the following Endpoints:
- /rest/api/2/issueLinkType
- /rest/api/2/priority
- /rest/api/2/projectCategory
- /rest/api/2/resolution
- /rest/api/2/status
- /rest/api/2/statuscategory
- /rest/api/2/projectvalidate/key?key=
- /rest/api/2/jql/autocompletedata/
- /rest/api/latest/avatar/project/system 10/rest/api/2/field
- /rest/api/2/screens
- /rest/api/1.0/issues/2346583/ActionsAndOperations
Affected versions:
- version < 9.0.0
Fixed versions:
- 9.0.0
- For LTSes (tested on versions 8.13.x and 8.20.x) and versions 8.21+ to restrict anonymous access to the endpoint you need to disable feature flag aka provide <feature.flag>.disabled.
Steps to manage Dark Features can be found here: How to manage dark features in Jira
List of flags:
| Endpoint | What changes | Feature flag |
|---|---|---|
| /rest/api/2/issueLinkType | Anonymous access disabled completely | com.atlassian.jira.security.endpoint.anonymous.access.issueLinkType |
| /rest/api/2/priority | Anonymous access blocked only when there is no projects available for anonymous users | com.atlassian.jira.security.endpoint.anonymous.access.priority |
| /rest/api/2/projectCategory | Anonymous access disabled completely | com.atlassian.jira.security.endpoint.anonymous.access.projectCategory |
| /rest/api/2/resolution | Anonymous access blocked only when there is no projects available for anonymous users | com.atlassian.jira.security.endpoint.anonymous.access.resolution |
| /rest/api/2/jql/autocompletedata/ | Anonymous access blocked only when there is no projects available for anonymous users | com.atlassian.jira.security.endpoint.non.browse.projects.access.autocompletedata |
| /rest/api/latest/avatar/project/system | Anonymous access disabled completly | com.atlassian.jira.security.endpoint.non.admin.access.avatar.system |
| /rest/api/2/field | Anonymous access blocked only when there is no projects available for anonymous users | com.atlassian.jira.security.endpoint.non.browse.projects.access.fields |
| /rest/api/2/screens | Only admins have access to this endpoint | com.atlassian.jira.security.endpoint.non.admin.access.screens |
[JRASERVER-73926] Rest API Endpoint Leaked Project Categories, Project categories, status categories, issue link types, priorities, and resolutions to Unauthorised users
we’ll now when architecturally possible also backport all other security bug fixes to Long Term Support releases throughout its standard 2-year support window
(above from https://confluence.atlassian.com/enterprise/long-term-support-releases-948227420.html)
Please provide the fix in the 8.20.X LTS release which is not at the 2 year mark until October 2023.
Will this be in LTS we need to make a decision to upgrade to a fixed version and skipping to version 9 is not ideal at the moment
Can you please provide a working link to the workaround.
And when will this be backported to LTS Release?
This is an independent assessment and you should evaluate its applicability to your own IT environment.
CVSS v3 score: 5.3 => Medium severity
Exploitability Metrics
| Attack Vector | Network |
|---|---|
| Attack Complexity | Low |
| Privileges Required | None |
| User Interaction | None |
Scope Metric
| Scope | Unchanged |
|---|
Impact Metrics
| Confidentiality | Low |
|---|---|
| Integrity | None |
| Availability | None |
https://asecurityteam.bitbucket.io/cvss_v3/?#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Jira 8.22.4.
Is Jira Server actually vulnerable if anonymous access is disabled in global permissions?
Tried to access all mentioned endpoints anonymously without setting all these feature flags - got HTTP/401 Unauthorized for all. All the endpoints are only accessible after the authentication.