• 4.3
    • Medium

      Affected versions of Atlassian Jira Service Management Server and Data Center allow an authenticated attacker who doesn't have permission to access a project to view the names of private projects via an Information Disclosure vulnerability in the /rest/insight/1.0/project/picker endpoint.

      Affected versions:

      • version < 4.20.4

      Fixed versions:

      • 4.20.4

            [JSDSERVER-11206] REST API Endpoint Leaked private project to unauthorized user

            AB made changes -
            Resolution New: Fixed [ 1 ]
            Security Original: Atlassian Staff [ 10750 ]
            Status Original: Draft [ 12872 ] New: Published [ 12873 ]
            AB made changes -
            Description Original: Affected versions of Atlassian Jira Service Management Server and Data Center allow an authenticated attacker who doesn't have permission to access a project to view the names of private projects via an Information Disclosure vulnerability in the {{/rest/insight/1.0/project/picker}} endpoint.

            *Affected versions:*
             - [list version ranges\{^}¶\{^}]

            *Fixed versions:*
             - 4.20.4
            New: Affected versions of Atlassian Jira Service Management Server and Data Center allow an authenticated attacker who doesn't have permission to access a project to view the names of private projects via an Information Disclosure vulnerability in the {{/rest/insight/1.0/project/picker}} endpoint.

            *Affected versions:*
             - version < 4.20.4

            *Fixed versions:*
             - 4.20.4
            AB made changes -
            Description Original: Affected versions of Atlassian [$product] [Cloud, Desktop, or Server and Data Center?] allow [what kind of attacker?*] to [do something bad†] via a [type of vulnerability{^}§{^}] in the [$blah component | $blah feature | $blah endpoint].

            [Credit for an external reporter who told us about the bug, if they agree to be credited, e.g. “This vulnerability was reported by Jane Doe of The FooBar Corporation.”]

            [Optional workaround information]

            *Affected versions:*

            - [list version ranges{^}¶{^}]

            *Fixed versions:*

            - [list version ranges{^}¶{^}]
            New: Affected versions of Atlassian Jira Service Management Server and Data Center allow an authenticated attacker who doesn't have permission to access a project to view the names of private projects via an Information Disclosure vulnerability in the {{/rest/insight/1.0/project/picker}} endpoint.

            *Affected versions:*
             - [list version ranges\{^}¶\{^}]

            *Fixed versions:*
             - 4.20.4
            AB made changes -
            Description Original:
            This vulnerability affects certain versions of Atlassian Jira Service Management Server. Please describe the impact of the vulnerability here. No known vulnerability could be read off of the parent.
            New: Affected versions of Atlassian [$product] [Cloud, Desktop, or Server and Data Center?] allow [what kind of attacker?*] to [do something bad†] via a [type of vulnerability{^}§{^}] in the [$blah component | $blah feature | $blah endpoint].

            [Credit for an external reporter who told us about the bug, if they agree to be credited, e.g. “This vulnerability was reported by Jane Doe of The FooBar Corporation.”]

            [Optional workaround information]

            *Affected versions:*

            - [list version ranges{^}¶{^}]

            *Fixed versions:*

            - [list version ranges{^}¶{^}]
            Security Metrics Bot made changes -
            Labels New: advisory advisory-to-release dont-import security
            Security Metrics Bot created issue -

              Unassigned Unassigned
              security-metrics-bot Security Metrics Bot
              Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

                Created:
                Updated:
                Resolved: