-
Bug
-
Resolution: Fixed
-
High (View bug fix roadmap)
-
9.0.0, 9.1.0, 9.2.0, 9.3.0, 9.4.0, 9.5.0, 8.20.18
-
8.2
-
7.5
-
Severity 2 - Major
-
Affected versions of Atlassian Jira Server and Data Centre allowed an unauthenticated remote attacker to fetch Issue,Project and Sprint information via Information Disclosure Vulnerability via "/secure/QueryComponentRendererValue!Default.jspa" endpoint.
Affected versions:
- version < 9.5.1
Fixed versions:
- 8.20.21 and newer
- 9.4.4 and newer
- 9.5.1 and newer
- 9.6.0 and newer
[JRASERVER-74771] Information Disclosure via QueryCompenentRenderer API
You may consider employing a workaround by limiting the endpoint for users without authentication. The necessary steps can be found in this knowledge base article: : https://confluence.atlassian.com/jirakb/restrict-unauthenticated-access-for-some-jira-endpoints-1206796039.html
If unable to update our version right now, is there a workaround that can be applied as is normally the case ?
Hey 40a60042dfe3 , thank you for asking!
Yes, once the fix is included in 9.4.4, all 9.4.x newer versions (9.4.5, 9.4.6, ...) will have the fix included.
The same happens for 9.5.x where the issue is fixed on 9.5.1. All newer versions (9.5.2, 9.5.3, ...) will have the fix included.
I have edited the Description to be a bit more clear.
I hope it helps. 
Hello,
The information on this page is not consistent and a little confusing. Is 9.4.5 LTS affected by this?
9.4.4 is listed as fixed does this mean the fix is in 9.4.5?
We can only guess what influences Atlassian's value of the "Priority" field. I'm not too concerned about the assigned priority, as self-hosted Atlassian server/datacenter product security flaws are largely treated with the same remediation timeline; 90 days (mediums to critical). Lows are given 120 days.
If you want faster remediation timeline but stability, stay on the most current Long-Term Support version of Atlassian products; the older LTS version will usually get patched last. If you want super-fast remediation, but don't mind the feature/compatibility lurches, one can always move to the most current major version (regardless of LTS).
I suspect the slow response is partly another advert to consider to their SaaS offerings, which enjoy a more expedient security flaw remediation timeframe.
8.20.21 is now part of Fix Versions field, but there are no release notes for 8.20.21 published.
"allowed an unauthenticated remote attacker to fetch Issue,Project and Sprint information"
CVSS: 7.5 (High)
Priority - LOW ???
We need 8.20.21! Please speed up the process.
And / or we need a workaround / mitigation.
Release Notes should not be updated after the release because you can't guarantee that anyone will ever look at them again. Better to leave the info in the next patch release 9.4.5 and add a note there that the bug was also fixed in in 9.4.4
Jira 9.4.4 was first released with ZERO included defects on the release notes page, then 3 defects fixed were noted after a day or so later. Now, a fix for this defect magically appears in 9.4.4 five days later? 9.4.4 was released on March 16, not today (March 21, or March 22 if you live in Australia)
Atlassian, you can do better than this.
For consistency, can you please update the Description where the "Fixed in" text only lists two newerversions fixed? Vulnerability scanners key off that description to determine CPEs affected by a CVE.
Hi everyone,
An update has been made to the fix version to include 9.4.4 and 8.20.21. As of today, March 22nd, 9.4.4 has been released while 8.20.21 is currently planned.
Thanks,
Atlassian Support
Another patch 8.20.20 was released on the 15th of March with no fix for this vulnerability!!
So 2 new 8.20.x LTS versions were released after announcing this vulnerability and no fix or workaround yet.
Is there anyway to speed this up?
Atlassian is obligated to fix per their bug-fix policy. Typically (my observation) when flaws are found in the newer, non-LTS versions of Atlassian products, the flaw is fixed in that version, then back-ported to the LTS versions. Atlassian runs on a monthly cadence for patches, so expect a patch either in the next week (mid-March) or it could be as long as waiting another month (mid-April).
Why this is not being fixed in LTS and released there?
Its too risky to jump to latest and newest version as we heavily rely on LTS
Atlassian has 90 days to produce a back-ported fix per their bug fix policy (https://www.atlassian.com/trust/security/bug-fix-policy)
- Critical, High, and Medium severity bugs to be fixed in product within 90 days of being verified.
I personally disagree with this policy as bucketing Criticals with the same timeline as Mediums is unsatisfactory, and 90 days greatly exceeds our organization's timeline for remediation.
Since a fix may not arrive for another month or two, can Atlassian please provide a workaround?
I don't see it here: https://confluence.atlassian.com/jirasoftware/issues-resolved-in-8-20-19-1217298553.html
Either it's not there, or they forgot to properly label this issue.
Hi,
I can see a new Jira LTS version published yesterday 8.20.19, could you please confirm if this version fixes the issue?
Best regards,
Hi,
I believe the "introduction" means "we are letting you know that there is this issue," not "we are going to code the vulnerability into the product."
Richard
Hi @Richard Bukovansky: Thank you for that information!
Nevertheless, I'm still hoping that they'll fix this vulneralibility with the next bugbix release instead of introducing it.
@Peter Loeber: The 8.20.18 was canceled and removed from download pages because of regression.
See https://confluence.atlassian.com/jirasoftware/issues-resolved-in-8-20-18-1209869600.html
I believe they are going to release 8.20.19 instead.
Richard
Hi,
what you have documented here ("Affects Version/s ... 8.20.18*") means that you plan to introduce 
this vulneralibility for version 8.20 with the next bug fix release 8.20.18. Hope... you won't do so!
I'm still hoping that you plan to fix it with this bug fix release, won't you?
We are also interested in a workaround and an LTS fix version. Like Hannes said, carrying out upgrades in short time can be a bit cumbersome.
We are currently planning an update to 9.4.3 because of the vulnerability https://jira.atlassian.com/browse/JRASERVER-73926
Since there is still no FIX for this vulnerability in 9.4.X, is there a workaround so that we don't have to carry out another update within a very short time?
I'm running 9.4.2, is there a CVE(common vulnerability exposure) for this?
We need more info to move it forward.
As asked above, is there a planned release to patch it via LTS 9.4.X?
I just upgraded to this version a month ago.
I second the @Bastian Stehmann's question: Is the version 8.20.16 LTS affected and if so, is there a work-around or fix for that available?
Need this for 8.20.x LTS as well. Or a workaround for that version.
Are there any plans to release a 9.4.X (LTS) version where this bug is fixed?
This is an independent assessment and you should evaluate its applicability to your own IT environment.
CVSS v3 score: 7.5 => High severity
Exploitability Metrics
| Attack Vector | Network |
|---|---|
| Attack Complexity | Low |
| Privileges Required | None |
| User Interaction | None |
Scope Metric
| Scope | Unchanged |
|---|
Impact Metrics
| Confidentiality | High |
|---|---|
| Integrity | None |
| Availability | None |
https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Having been previously bitten by
JRASERVER-71536(/secure/QueryComponent.jspa), I setup a forced authentication rule with Resolution SSO for SAML, and forced auth on all endpoints /secure/*. Looks like that rule came in handy here as I missed the annoucement for this vuln. Highly recommend especially if you are already using it.