• Type: Public Security Vulnerability
• Resolution: Fixed
• Priority: Low (View bug fix roadmap)
• Fix Version/s: 9.0.0
• Affects Version/s: 8.13.21, 8.20.9, 8.22.3
• Component/s: Security
• Labels:

  • advisory
  • advisory-released
  • dont-import
  • security
  • 🔢✅

[JRASERVER-73926] Rest API Endpoint Leaked Project Categories, Project categories, status categories, issue link types, priorities, and resolutions to Unauthorised users

Collapse comment: Oleksiy Brushkovskyy added a comment - 10/Jul/2023 8:06 PM

Oleksiy Brushkovskyy added a comment - 10/Jul/2023 8:06 PM

Jira 8.22.4.
Is Jira Server actually vulnerable if anonymous access is disabled in global permissions?

Tried to access all mentioned endpoints anonymously without setting all these feature flags - got HTTP/401 Unauthorized for all. All the endpoints are only accessible after the authentication.

Expand comment: Oleksiy Brushkovskyy added a comment - 10/Jul/2023 8:06 PM

Oleksiy Brushkovskyy added a comment - 10/Jul/2023 8:06 PM Jira 8.22.4. Is Jira Server actually vulnerable if anonymous access is disabled in global permissions? Tried to access all mentioned endpoints anonymously without setting all these feature flags - got HTTP/401 Unauthorized for all. All the endpoints are only accessible after the authentication.

Collapse comment: Jeff Blaine added a comment - 17/May/2023 7:41 PM

Jeff Blaine added a comment - 17/May/2023 7:41 PM

we’ll now when architecturally possible also backport all other security bug fixes to Long Term Support releases throughout its standard 2-year support window

(above from https://confluence.atlassian.com/enterprise/long-term-support-releases-948227420.html)

Please provide the fix in the 8.20.X LTS release which is not at the 2 year mark until October 2023.

Expand comment: Jeff Blaine added a comment - 17/May/2023 7:41 PM

Jeff Blaine added a comment - 17/May/2023 7:41 PM we’ll now when architecturally possible also backport all other security bug fixes to Long Term Support releases throughout its standard  2-year support window (above from https://confluence.atlassian.com/enterprise/long-term-support-releases-948227420.html) Please provide the fix in the 8.20.X LTS release which is not at the 2 year mark until October 2023.

Douglas Alves made changes - 03/May/2023 1:11 PM

Description

Original: Affected versions of Atlassian Jira Server and Data Center allows an Un-Authenticated attacker to view Project categories, status categories, issue link types, priorities, and resolutions via an Information Disclosure vulnerability on the following Endpoints:  * /rest/api/2/issueLinkType  * /rest/api/2/priority  * /rest/api/2/projectCategory  * /rest/api/2/resolution  * /rest/api/2/status  * /rest/api/2/statuscategory  * /rest/api/2/projectvalidate/key?key=   * /rest/api/2/jql/autocompletedata/   * /rest/api/latest/avatar/project/system 10/rest/api/2/field    * /rest/api/2/screens  * /rest/api/1.0/issues/2346583/ActionsAndOperations   *Affected versions:*  - version < 9.0.0 *Fixed versions:*  - 9.0.0  - For LTSes (tested on versions 8.13.x and 8.20.x) and versions 8.21+ to restrict anonymous access to the endpoint you need to disable feature flag aka provide {{<feature.flag>.disabled.}}  * (i) Steps to manage Dark Features can be found here: [How to manage dark features in Jira|https://confluence.atlassian.com/jirakb/how-to-manage-dark-features-in-jira-959286331.html] List of flags: ||*Endpoint*||*What changes*||*Feature flag*|| |/rest/api/2/issueLinkType|Anonymous access disabled completely|com.atlassian.jira.security.endpoint.anonymous.access.issueLinkType| |/rest/api/2/priority|Anonymous access blocked only when there is no projects available for anonymous users|com.atlassian.jira.security.endpoint.anonymous.access.priority| |/rest/api/2/projectCategory|Anonymous access disabled completely|com.atlassian.jira.security.endpoint.anonymous.access.projectCategory| |/rest/api/2/resolution|Anonymous access blocked only when there is no projects available for anonymous users|com.atlassian.jira.security.endpoint.anonymous.access.resolution| |/rest/api/2/jql/autocompletedata/|Anonymous access blocked only when there is no projects available for anonymous users|com.atlassian.jira.security.endpoint.non.browse.projects.access.autocompletedata| |/rest/api/latest/avatar/project/system|Anonymous access disabled completly|com.atlassian.jira.security.endpoint.non.admin.access.avatar.system| |/rest/api/2/field|Anonymous access blocked only when there is no projects available for anonymous users|com.atlassian.jira.security.endpoint.non.browse.projects.access.fields| |/rest/api/2/screens|Only admins have access to this endpoint|com.atlassian.jira.security.endpoint.non.admin.access.screens|

New: Affected versions of Atlassian Jira Server and Data Center allows an Un-Authenticated attacker to view Project categories, status categories, issue link types, priorities, and resolutions via an Information Disclosure vulnerability on the following Endpoints:  * /rest/api/2/issueLinkType  * /rest/api/2/priority  * /rest/api/2/projectCategory  * /rest/api/2/resolution  * /rest/api/2/status  * /rest/api/2/statuscategory  * /rest/api/2/projectvalidate/key?key=   * /rest/api/2/jql/autocompletedata/   * /rest/api/latest/avatar/project/system 10/rest/api/2/field    * /rest/api/2/screens  * /rest/api/1.0/issues/2346583/ActionsAndOperations   *Affected versions:*  - version < 9.0.0 *Fixed versions:*  - 9.0.0  - For LTSes (tested on versions 8.13.x and 8.20.x) and versions 8.21+ to restrict anonymous access to the endpoint you need to disable feature flag aka provide {{<feature.flag>.{*}disabled{*}.}}  * (i) Steps to manage Dark Features can be found here: [How to manage dark features in Jira|https://confluence.atlassian.com/jirakb/how-to-manage-dark-features-in-jira-959286331.html] List of flags: ||*Endpoint*||*What changes*||*Feature flag*|| |/rest/api/2/issueLinkType|Anonymous access disabled completely|com.atlassian.jira.security.endpoint.anonymous.access.issueLinkType| |/rest/api/2/priority|Anonymous access blocked only when there is no projects available for anonymous users|com.atlassian.jira.security.endpoint.anonymous.access.priority| |/rest/api/2/projectCategory|Anonymous access disabled completely|com.atlassian.jira.security.endpoint.anonymous.access.projectCategory| |/rest/api/2/resolution|Anonymous access blocked only when there is no projects available for anonymous users|com.atlassian.jira.security.endpoint.anonymous.access.resolution| |/rest/api/2/jql/autocompletedata/|Anonymous access blocked only when there is no projects available for anonymous users|com.atlassian.jira.security.endpoint.non.browse.projects.access.autocompletedata| |/rest/api/latest/avatar/project/system|Anonymous access disabled completly|com.atlassian.jira.security.endpoint.non.admin.access.avatar.system| |/rest/api/2/field|Anonymous access blocked only when there is no projects available for anonymous users|com.atlassian.jira.security.endpoint.non.browse.projects.access.fields| |/rest/api/2/screens|Only admins have access to this endpoint|com.atlassian.jira.security.endpoint.non.admin.access.screens|

Douglas Alves made changes - 03/May/2023 1:10 PM

Description

Original: Affected versions of Atlassian Jira Server and Data Center allows an Un-Authenticated attacker to view Project categories, status categories, issue link types, priorities, and resolutions via an Information Disclosure vulnerability on the following Endpoints:  * /rest/api/2/issueLinkType  * /rest/api/2/priority  * /rest/api/2/projectCategory  * /rest/api/2/resolution  * /rest/api/2/status  * /rest/api/2/statuscategory  * /rest/api/2/projectvalidate/key?key=   * /rest/api/2/jql/autocompletedata/   * /rest/api/latest/avatar/project/system 10/rest/api/2/field    * /rest/api/2/screens  * /rest/api/1.0/issues/2346583/ActionsAndOperations   *Affected versions:*  - version < 9.0.0 *Fixed versions:*  - 9.0.0  - On Jira 8.21+ to restrict anonymous access to the endpoint you need to disable feature flag aka provide {{<feature.flag>.disabled.}}  * (i) Steps to manage Dark Features can be found here: [How to manage dark features in Jira|https://confluence.atlassian.com/jirakb/how-to-manage-dark-features-in-jira-959286331.html] List of flags: ||*Endpoint*||*What changes*||*Feature flag*|| |/rest/api/2/issueLinkType|Anonymous access disabled completely|com.atlassian.jira.security.endpoint.anonymous.access.issueLinkType| |/rest/api/2/priority|Anonymous access blocked only when there is no projects available for anonymous users|com.atlassian.jira.security.endpoint.anonymous.access.priority| |/rest/api/2/projectCategory|Anonymous access disabled completely|com.atlassian.jira.security.endpoint.anonymous.access.projectCategory| |/rest/api/2/resolution|Anonymous access blocked only when there is no projects available for anonymous users|com.atlassian.jira.security.endpoint.anonymous.access.resolution| |/rest/api/2/jql/autocompletedata/|Anonymous access blocked only when there is no projects available for anonymous users|com.atlassian.jira.security.endpoint.non.browse.projects.access.autocompletedata| |/rest/api/latest/avatar/project/system|Anonymous access disabled completly|com.atlassian.jira.security.endpoint.non.admin.access.avatar.system| |/rest/api/2/field|Anonymous access blocked only when there is no projects available for anonymous users|com.atlassian.jira.security.endpoint.non.browse.projects.access.fields| |/rest/api/2/screens|Only admins have access to this endpoint|com.atlassian.jira.security.endpoint.non.admin.access.screens|

New: Affected versions of Atlassian Jira Server and Data Center allows an Un-Authenticated attacker to view Project categories, status categories, issue link types, priorities, and resolutions via an Information Disclosure vulnerability on the following Endpoints:  * /rest/api/2/issueLinkType  * /rest/api/2/priority  * /rest/api/2/projectCategory  * /rest/api/2/resolution  * /rest/api/2/status  * /rest/api/2/statuscategory  * /rest/api/2/projectvalidate/key?key=   * /rest/api/2/jql/autocompletedata/   * /rest/api/latest/avatar/project/system 10/rest/api/2/field    * /rest/api/2/screens  * /rest/api/1.0/issues/2346583/ActionsAndOperations   *Affected versions:*  - version < 9.0.0 *Fixed versions:*  - 9.0.0  - For LTSes (tested on versions 8.13.x and 8.20.x) and versions 8.21+ to restrict anonymous access to the endpoint you need to disable feature flag aka provide {{<feature.flag>.disabled.}}  * (i) Steps to manage Dark Features can be found here: [How to manage dark features in Jira|https://confluence.atlassian.com/jirakb/how-to-manage-dark-features-in-jira-959286331.html] List of flags: ||*Endpoint*||*What changes*||*Feature flag*|| |/rest/api/2/issueLinkType|Anonymous access disabled completely|com.atlassian.jira.security.endpoint.anonymous.access.issueLinkType| |/rest/api/2/priority|Anonymous access blocked only when there is no projects available for anonymous users|com.atlassian.jira.security.endpoint.anonymous.access.priority| |/rest/api/2/projectCategory|Anonymous access disabled completely|com.atlassian.jira.security.endpoint.anonymous.access.projectCategory| |/rest/api/2/resolution|Anonymous access blocked only when there is no projects available for anonymous users|com.atlassian.jira.security.endpoint.anonymous.access.resolution| |/rest/api/2/jql/autocompletedata/|Anonymous access blocked only when there is no projects available for anonymous users|com.atlassian.jira.security.endpoint.non.browse.projects.access.autocompletedata| |/rest/api/latest/avatar/project/system|Anonymous access disabled completly|com.atlassian.jira.security.endpoint.non.admin.access.avatar.system| |/rest/api/2/field|Anonymous access blocked only when there is no projects available for anonymous users|com.atlassian.jira.security.endpoint.non.browse.projects.access.fields| |/rest/api/2/screens|Only admins have access to this endpoint|com.atlassian.jira.security.endpoint.non.admin.access.screens|

Collapse comment: daenglis added a comment - 17/Apr/2023 11:35 PM

daenglis added a comment - 17/Apr/2023 11:35 PM

Please provide a fix in LTS.

Expand comment: daenglis added a comment - 17/Apr/2023 11:35 PM

daenglis added a comment - 17/Apr/2023 11:35 PM Please provide a fix in LTS.

Thales Santos made changes - 11/Apr/2023 8:01 AM

Remote Link

New: This issue links to "Page (Confluence)" [ 748809 ]

Collapse comment: Noni Khutane added a comment - 06/Apr/2023 9:03 AM

Noni Khutane added a comment - 06/Apr/2023 9:03 AM

Will this be in LTS we need to make a decision to upgrade to a fixed version and skipping to version 9 is not ideal at the moment

Expand comment: Noni Khutane added a comment - 06/Apr/2023 9:03 AM

Noni Khutane added a comment - 06/Apr/2023 9:03 AM Will this be in LTS we need to make a decision to upgrade to a fixed version and skipping to version 9 is not ideal at the moment

Thales Santos made changes - 04/Apr/2023 8:06 AM

Remote Link

New: This issue links to "Page (Confluence)" [ 747138 ]

Bruno made changes - 15/Mar/2023 9:17 PM

Description

Original: Affected versions of Atlassian Jira Server and Data Center allows an Un-Authenticated attacker to view Project categories, status categories, issue link types, priorities, and resolutions via an Information Disclosure vulnerability on the following Endpoints:  * /rest/api/2/issueLinkType  * /rest/api/2/priority  * /rest/api/2/projectCategory  * /rest/api/2/resolution  * /rest/api/2/status  * /rest/api/2/statuscategory  * /rest/api/2/projectvalidate/key?key=   * /rest/api/2/jql/autocompletedata/   * /rest/api/latest/avatar/project/system 10/rest/api/2/field    * /rest/api/2/screens  * /rest/api/1.0/issues/2346583/ActionsAndOperations   *Affected versions:*  - version < 9.0.0 *Fixed versions:*  - 9.0.0  - On Jira 8.x to restrict anonymous access to the endpoint you need to disable feature flag aka provide {{<feature.flag>.disabled.}}  * (i) Steps to manage Dark Features can be found here: [How to manage dark features in Jira|https://confluence.atlassian.com/jirakb/how-to-manage-dark-features-in-jira-959286331.html] List of flags: ||*Endpoint*||*What changes*||*Feature flag*|| |/rest/api/2/issueLinkType|Anonymous access disabled completely|com.atlassian.jira.security.endpoint.anonymous.access.issueLinkType| |/rest/api/2/priority|Anonymous access blocked only when there is no projects available for anonymous users|com.atlassian.jira.security.endpoint.anonymous.access.priority| |/rest/api/2/projectCategory|Anonymous access disabled completely|com.atlassian.jira.security.endpoint.anonymous.access.projectCategory| |/rest/api/2/resolution|Anonymous access blocked only when there is no projects available for anonymous users|com.atlassian.jira.security.endpoint.anonymous.access.resolution| |/rest/api/2/jql/autocompletedata/|Anonymous access blocked only when there is no projects available for anonymous users|com.atlassian.jira.security.endpoint.non.browse.projects.access.autocompletedata| |/rest/api/latest/avatar/project/system|Anonymous access disabled completly|com.atlassian.jira.security.endpoint.non.admin.access.avatar.system| |/rest/api/2/field|Anonymous access blocked only when there is no projects available for anonymous users|com.atlassian.jira.security.endpoint.non.browse.projects.access.fields| |/rest/api/2/screens|Only admins have access to this endpoint|com.atlassian.jira.security.endpoint.non.admin.access.screens|

New: Affected versions of Atlassian Jira Server and Data Center allows an Un-Authenticated attacker to view Project categories, status categories, issue link types, priorities, and resolutions via an Information Disclosure vulnerability on the following Endpoints:  * /rest/api/2/issueLinkType  * /rest/api/2/priority  * /rest/api/2/projectCategory  * /rest/api/2/resolution  * /rest/api/2/status  * /rest/api/2/statuscategory  * /rest/api/2/projectvalidate/key?key=   * /rest/api/2/jql/autocompletedata/   * /rest/api/latest/avatar/project/system 10/rest/api/2/field    * /rest/api/2/screens  * /rest/api/1.0/issues/2346583/ActionsAndOperations   *Affected versions:*  - version < 9.0.0 *Fixed versions:*  - 9.0.0  - On Jira 8.21+ to restrict anonymous access to the endpoint you need to disable feature flag aka provide {{<feature.flag>.disabled.}}  * (i) Steps to manage Dark Features can be found here: [How to manage dark features in Jira|https://confluence.atlassian.com/jirakb/how-to-manage-dark-features-in-jira-959286331.html] List of flags: ||*Endpoint*||*What changes*||*Feature flag*|| |/rest/api/2/issueLinkType|Anonymous access disabled completely|com.atlassian.jira.security.endpoint.anonymous.access.issueLinkType| |/rest/api/2/priority|Anonymous access blocked only when there is no projects available for anonymous users|com.atlassian.jira.security.endpoint.anonymous.access.priority| |/rest/api/2/projectCategory|Anonymous access disabled completely|com.atlassian.jira.security.endpoint.anonymous.access.projectCategory| |/rest/api/2/resolution|Anonymous access blocked only when there is no projects available for anonymous users|com.atlassian.jira.security.endpoint.anonymous.access.resolution| |/rest/api/2/jql/autocompletedata/|Anonymous access blocked only when there is no projects available for anonymous users|com.atlassian.jira.security.endpoint.non.browse.projects.access.autocompletedata| |/rest/api/latest/avatar/project/system|Anonymous access disabled completly|com.atlassian.jira.security.endpoint.non.admin.access.avatar.system| |/rest/api/2/field|Anonymous access blocked only when there is no projects available for anonymous users|com.atlassian.jira.security.endpoint.non.browse.projects.access.fields| |/rest/api/2/screens|Only admins have access to this endpoint|com.atlassian.jira.security.endpoint.non.admin.access.screens|

Collapse comment: Keith Schug added a comment - 24/Feb/2023 2:14 PM

Keith Schug added a comment - 24/Feb/2023 2:14 PM

Will this fix be available in the next LTS release?

Expand comment: Keith Schug added a comment - 24/Feb/2023 2:14 PM

Keith Schug added a comment - 24/Feb/2023 2:14 PM Will this fix be available in the next LTS release?

Load more older events