Jira used to allow a System administrator user to upload an arbitrary plugin via the web and REST interfaces. Most instances do not need this functionality, so beginning with Jira 9.14.0+ it will be disabled by default. This will close one vector of attack should the System administrator credentials be compromised one day.

What will be changed specifically:

• The "Upload app" button on the "Manage apps" page will no longer be present by default
• The "Upload an application" button on the "Versions & licenses" page will no longer be present by default
• The REST API that permits a plugin to be uploaded from the client will be disabled by default
• The REST API that permits a plugin to be installed will only allow installation from Atlassian Marketplace by default.

However, it will still be possible to install and upgrade plugins from Atlassian Marketplace via the "Find new apps" page.

Admins who do need the ability to upload plugins should set the following system property:

-Dupm.plugin.upload.enabled=true

See Setting properties and options on startup for guidance.

When upgrading an existing instance that needs this feature enabled, you can add this property prior to upgrade.