-
Public Security Vulnerability
-
Resolution: Fixed
-
Low
-
8.13.21, 8.20.9, 8.22.3
-
5.3
-
Medium
Affected versions of Atlassian Jira Server and Data Center allows an Un-Authenticated attacker to view Project categories, status categories, issue link types, priorities, and resolutions via an Information Disclosure vulnerability on the following Endpoints:
- /rest/api/2/issueLinkType
- /rest/api/2/priority
- /rest/api/2/projectCategory
- /rest/api/2/resolution
- /rest/api/2/status
- /rest/api/2/statuscategory
- /rest/api/2/projectvalidate/key?key=
- /rest/api/2/jql/autocompletedata/
- /rest/api/latest/avatar/project/system 10/rest/api/2/field
- /rest/api/2/screens
- /rest/api/1.0/issues/2346583/ActionsAndOperations
Affected versions:
- version < 9.0.0
Fixed versions:
- 9.0.0
- For LTSes (tested on versions 8.13.x and 8.20.x) and versions 8.21+ to restrict anonymous access to the endpoint you need to disable feature flag aka provide <feature.flag>.disabled.
Steps to manage Dark Features can be found here: How to manage dark features in Jira
List of flags:
| Endpoint | What changes | Feature flag |
|---|---|---|
| /rest/api/2/issueLinkType | Anonymous access disabled completely | com.atlassian.jira.security.endpoint.anonymous.access.issueLinkType |
| /rest/api/2/priority | Anonymous access blocked only when there is no projects available for anonymous users | com.atlassian.jira.security.endpoint.anonymous.access.priority |
| /rest/api/2/projectCategory | Anonymous access disabled completely | com.atlassian.jira.security.endpoint.anonymous.access.projectCategory |
| /rest/api/2/resolution | Anonymous access blocked only when there is no projects available for anonymous users | com.atlassian.jira.security.endpoint.anonymous.access.resolution |
| /rest/api/2/jql/autocompletedata/ | Anonymous access blocked only when there is no projects available for anonymous users | com.atlassian.jira.security.endpoint.non.browse.projects.access.autocompletedata |
| /rest/api/latest/avatar/project/system | Anonymous access disabled completly | com.atlassian.jira.security.endpoint.non.admin.access.avatar.system |
| /rest/api/2/field | Anonymous access blocked only when there is no projects available for anonymous users | com.atlassian.jira.security.endpoint.non.browse.projects.access.fields |
| /rest/api/2/screens | Only admins have access to this endpoint | com.atlassian.jira.security.endpoint.non.admin.access.screens |