• Type: Bug
• Resolution: Fixed
• Priority: High (View bug fix roadmap)
• Fix Version/s: 9.6.0, 9.5.1, 9.4.4, 8.20.21
• Affects Version/s: 9.0.0, 9.1.0, 9.2.0, 9.3.0, 9.4.0, 9.5.0, 8.20.18
• Component/s: Security
• Labels:

  • advisory
  • advisory-released
  • dont-import
  • security
  • 🔢✅

[JRASERVER-74771] Information Disclosure via QueryCompenentRenderer API

Bugfix Automation Bot made changes - 25/Feb/2025 11:30 AM

Introduced in Version

New: 8.2

Soner Sezgin made changes - 25/Feb/2025 10:53 AM

Symptom Severity		New: Severity 2 - Major [ 15831 ]
Workflow	Original: JAC Public Security Vulnerability Workflow v2 [ 4341798 ]	New: JAC Bug Workflow v3 [ 4510126 ]
Issue Type	Original: Public Security Vulnerability [ 10700 ]	New: Bug [ 1 ]
Status	Original: Published [ 12873 ]	New: Closed [ 6 ]

Collapse comment: David Yu added a comment - 23/Oct/2023 8:56 PM

David Yu added a comment - 23/Oct/2023 8:56 PM

Having been previously bitten by JRASERVER-71536 (/secure/QueryComponent.jspa), I setup a forced authentication rule with Resolution SSO for SAML, and forced auth on all endpoints /secure/*. Looks like that rule came in handy here as I missed the annoucement for this vuln. Highly recommend especially if you are already using it.

Expand comment: David Yu added a comment - 23/Oct/2023 8:56 PM

David Yu added a comment - 23/Oct/2023 8:56 PM Having been previously bitten by JRASERVER-71536 (/secure/QueryComponent.jspa), I setup a forced authentication rule with Resolution SSO for SAML, and forced auth on all endpoints /secure/* . Looks like that rule came in handy here as I missed the annoucement for this vuln. Highly recommend especially if you are already using it.

Collapse comment: Ranjith Koolath added a comment - 19/Sep/2023 7:31 AM, Edited by Ranjith Koolath - 19/Sep/2023 7:31 AM

Ranjith Koolath added a comment - 19/Sep/2023 7:31 AM - edited

You may consider employing a workaround by limiting the endpoint for users without authentication. The necessary steps can be found in this knowledge base article: : https://confluence.atlassian.com/jirakb/restrict-unauthenticated-access-for-some-jira-endpoints-1206796039.html

Expand comment: Ranjith Koolath added a comment - 19/Sep/2023 7:31 AM, Edited by Ranjith Koolath - 19/Sep/2023 7:31 AM

Ranjith Koolath added a comment - 19/Sep/2023 7:31 AM - edited You may consider employing a workaround by limiting the endpoint for users without authentication. The necessary steps can be found in this knowledge base article: : https://confluence.atlassian.com/jirakb/restrict-unauthenticated-access-for-some-jira-endpoints-1206796039.html

Kaili Gu made changes - 11/Sep/2023 5:52 AM

Link

New: This issue has a derivative of JRASERVER-76261 [ JRASERVER-76261 ]

Cathy S made changes - 25/May/2023 2:48 AM

Remote Link

New: This issue links to "Page (Confluence)" [ 765126 ]

Collapse comment: Sue Webber added a comment - 04/May/2023 9:14 AM

Sue Webber added a comment - 04/May/2023 9:14 AM

If unable to update our version right now, is there a workaround that can be applied as is normally the case ?

Expand comment: Sue Webber added a comment - 04/May/2023 9:14 AM

Sue Webber added a comment - 04/May/2023 9:14 AM If unable to update our version right now, is there a workaround that can be applied as is normally the case ?

Collapse comment: Peter Mavridis added a comment - 26/Apr/2023 11:22 PM

Peter Mavridis added a comment - 26/Apr/2023 11:22 PM

Thanks Bruno. 

Much appreciated.

Expand comment: Peter Mavridis added a comment - 26/Apr/2023 11:22 PM

Peter Mavridis added a comment - 26/Apr/2023 11:22 PM Thanks Bruno.  Much appreciated.

Collapse comment: Bruno added a comment - 26/Apr/2023 11:01 PM

Bruno added a comment - 26/Apr/2023 11:01 PM

Hey 40a60042dfe3 , thank you for asking!

Yes, once the fix is included in 9.4.4, all 9.4.x newer versions (9.4.5, 9.4.6, ...) will have the fix included. 
The same happens for 9.5.x where the issue is fixed on 9.5.1. All newer versions (9.5.2, 9.5.3, ...) will have the fix included. 

I have edited the Description to be a bit more clear. 

I hope it helps.

Expand comment: Bruno added a comment - 26/Apr/2023 11:01 PM

Bruno added a comment - 26/Apr/2023 11:01 PM Hey 40a60042dfe3 , thank you for asking! Yes, once the fix is included in 9.4.4, all 9.4.x newer versions (9.4.5, 9.4.6, ...) will have the fix included.  The same happens for 9.5.x where the issue is fixed on 9.5.1. All newer versions (9.5.2, 9.5.3, ...) will have the fix included.  I have edited the Description to be a bit more clear.  I hope it helps.

Bruno made changes - 26/Apr/2023 11:00 PM

Description

Original: Affected versions of Atlassian Jira Server and Data Centre allowed an unauthenticated remote attacker to fetch Issue,Project and Sprint information via Information Disclosure Vulnerability via "/secure/QueryComponentRendererValue!Default.jspa" endpoint. *Affected versions:*  * version < 9.5.1 *Fixed versions:*  * 9.5.1  * 9.6.0

New: Affected versions of Atlassian Jira Server and Data Centre allowed an unauthenticated remote attacker to fetch Issue,Project and Sprint information via Information Disclosure Vulnerability via "/secure/QueryComponentRendererValue!Default.jspa" endpoint. *Affected versions:*  * version < 9.5.1 *Fixed versions:*  * 8.20.21 and newer  * 9.4.4 and newer  * 9.5.1 and newer  * 9.6.0 and newer

Load more older events