Having been previously bitten by JRASERVER-71536 (/secure/QueryComponent.jspa), I setup a forced authentication rule with Resolution SSO for SAML, and forced auth on all endpoints /secure/*. Looks like that rule came in handy here as I missed the annoucement for this vuln. Highly recommend especially if you are already using it.

You may consider employing a workaround by limiting the endpoint for users without authentication. The necessary steps can be found in this knowledge base article: : https://confluence.atlassian.com/jirakb/restrict-unauthenticated-access-for-some-jira-endpoints-1206796039.html

If unable to update our version right now, is there a workaround that can be applied as is normally the case ?

Thanks Bruno. 

Much appreciated.

Hey 40a60042dfe3 , thank you for asking!

Yes, once the fix is included in 9.4.4, all 9.4.x newer versions (9.4.5, 9.4.6, ...) will have the fix included. 
The same happens for 9.5.x where the issue is fixed on 9.5.1. All newer versions (9.5.2, 9.5.3, ...) will have the fix included. 

I have edited the Description to be a bit more clear. 

I hope it helps.

Hello,

The information on this page is not consistent and a little confusing. Is 9.4.5 LTS affected by this?

9.4.4 is listed as fixed does this mean the fix is in 9.4.5?  

We can only guess what influences Atlassian's value of the "Priority" field.  I'm not too concerned about the assigned priority, as self-hosted Atlassian server/datacenter product security flaws are largely treated with the same remediation timeline; 90 days (mediums to critical).  Lows are given 120 days.  

If you want faster remediation timeline but stability, stay on the most current Long-Term Support version of Atlassian products; the older LTS version will usually get patched last.  If you want super-fast remediation, but don't mind the feature/compatibility lurches, one can always move to the most current major version (regardless of LTS).

I suspect the slow response is partly another advert to consider to their SaaS offerings, which enjoy a more expedient security flaw remediation timeframe.

8.20.21 is now part of Fix Versions field, but there are no release notes for 8.20.21 published.

• Fix Version/s: 9.6.0, 9.5.1, 9.4.4, 8.20.21

"allowed an unauthenticated remote attacker to fetch Issue,Project and Sprint information"
CVSS: 7.5 (High)
Priority - LOW ???

We need 8.20.21! Please speed up the process.
And / or we need a workaround / mitigation.

Release Notes should not be updated after the release because you can't guarantee that anyone will ever look at them again. Better to leave the info in the next patch release 9.4.5 and add a note there that the bug was also fixed in in 9.4.4