Uploaded image for project: 'Jira Data Center'
  1. Jira Data Center
  2. JRASERVER-73926

Rest API Endpoint Leaked Project Categories, Project categories, status categories, issue link types, priorities, and resolutions to Unauthorised users

XMLWordPrintable

    • 5.3
    • Medium

      Affected versions of Atlassian Jira Server and Data Center allows an Un-Authenticated attacker to view Project categories, status categories, issue link types, priorities, and resolutions via an Information Disclosure vulnerability on the following Endpoints:

      • /rest/api/2/issueLinkType
      • /rest/api/2/priority
      • /rest/api/2/projectCategory
      • /rest/api/2/resolution
      • /rest/api/2/status
      • /rest/api/2/statuscategory
      • /rest/api/2/projectvalidate/key?key= 
      • /rest/api/2/jql/autocompletedata/ 
      • /rest/api/latest/avatar/project/system 10/rest/api/2/field  
      • /rest/api/2/screens
      • /rest/api/1.0/issues/2346583/ActionsAndOperations

       

      Affected versions:

      • version < 9.0.0

      Fixed versions:

      • 9.0.0
      • For LTSes (tested on versions 8.13.x and 8.20.x) and versions 8.21+ to restrict anonymous access to the endpoint you need to disable feature flag aka provide <feature.flag>.disabled.

      List of flags:

      Endpoint What changes Feature flag
      /rest/api/2/issueLinkType Anonymous access disabled completely com.atlassian.jira.security.endpoint.anonymous.access.issueLinkType
      /rest/api/2/priority Anonymous access blocked only when there is no projects available for anonymous users com.atlassian.jira.security.endpoint.anonymous.access.priority
      /rest/api/2/projectCategory Anonymous access disabled completely com.atlassian.jira.security.endpoint.anonymous.access.projectCategory
      /rest/api/2/resolution Anonymous access blocked only when there is no projects available for anonymous users com.atlassian.jira.security.endpoint.anonymous.access.resolution
      /rest/api/2/jql/autocompletedata/ Anonymous access blocked only when there is no projects available for anonymous users com.atlassian.jira.security.endpoint.non.browse.projects.access.autocompletedata
      /rest/api/latest/avatar/project/system Anonymous access disabled completly com.atlassian.jira.security.endpoint.non.admin.access.avatar.system
      /rest/api/2/field Anonymous access blocked only when there is no projects available for anonymous users com.atlassian.jira.security.endpoint.non.browse.projects.access.fields
      /rest/api/2/screens Only admins have access to this endpoint com.atlassian.jira.security.endpoint.non.admin.access.screens

            [JRASERVER-73926] Rest API Endpoint Leaked Project Categories, Project categories, status categories, issue link types, priorities, and resolutions to Unauthorised users

            No work has yet been logged on this issue.

              Unassigned Unassigned
              security-metrics-bot Security Metrics Bot
              Votes:
              0 Vote for this issue
              Watchers:
              23 Start watching this issue

                Created:
                Updated:
                Resolved: