Applink configuration data is exposed anonymously

2014-05-08T07:34:01
ID ATLASSIAN:JRA-38225
Type atlassian
Reporter pwyatt
Modified 2017-02-20T02:55:49

Description

If you make an anonymous GET request to /rest/issueLinkAppLink/1/appLink/info , the instance will tell you all the names, IDs and URLs of the applinks configured on the instance.

e.g. an anonymous request to https://jira.atlassian.com/rest/issueLinkAppLink/1/appLink/info returns {code:javascript} [{"id":"bf9e23a3-cc04-36ee-b79b-9cedfd31c093","name":"J2BAC","primary":true,"url":"https://jira-bamboo.internal.atlassian.com","requireCredentials":false},{"id":"59790c26-8745-38af-9c96-93c79d9f1503","name":"Tardigrade Server","primary":false,"url":"http://tardigrade.syd.atlassian.com:8085/bamboo","requireCredentials":false},{"id":"013f5282-0b14-364a-8540-2898f6c4942b","name":"Atlassian Support System","primary":true,"url":"https://support.atlassian.com","requireCredentials":false},{"id":"d9d6a279-fbca-3f60-a3b5-9e45cd06f208","name":"pug - 2","primary":false,"url":"https://pug.jira-dev.com/wiki","requireCredentials":false},{"id":"5b430198-7e5b-307f-a7c0-5a78a6bc8f89","name":"sdog","primary":false,"url":"https://sdog.jira.com/wiki","requireCredentials":false},{"id":"4bfd3699-074f-3896-8f44-fedc79d0ee71","name":"SDOG","primary":false,"url":"https://sdog.jira.com","requireCredentials":false},{"id":"3c41d9a6-f687-3ded-a9d4-381929f3c494","name":"BEAC","primary":false,"url":"https://bamboo.extranet.atlassian.com","requireCredentials":false},{"id":"5a93509c-05a1-32ce-b57c-620dd7520b19","name":"Over Board","primary":true,"url":"https://atlassian-labs-bob-plugin.herokuapp.com/atlassian-labs-bob-plugin","requireCredentials":false},{"id":"2175b681-48f6-3200-964b-bce0b7137a1c","name":"Bitbucket JIRA","primary":false,"url":"https://bitbucket.atlassian.net","requireCredentials":false},{"id":"1202c5f7-2db8-3476-90b9-79417ee44946","name":"Atlassian JIRA Extranet - Special Projects","primary":false,"url":"https://extranet.atlassian.com/jira","requireCredentials":false},{"id":"45898c46-7fe1-3ca3-94cb-9258cf4fe4d2","name":"Atlassian Documentation","primary":false,"url":"https://confluence.atlassian.com","requireCredentials":false},{"id":"344ce3fe-d1a2-3d69-975c-7ffc05bbedd0","name":"EAC","primary":true,"url":"https://extranet.atlassian.com","requireCredentials":false},{"id":"111ef75e-b4e9-3b8c-8383-8f3d43742d4b","name":"Atlassian Japan Confluence","primary":false,"url":"https://confluence.atlassian.co.jp","requireCredentials":false},{"id":"bf13be6c-926b-318e-95cc-99dc04f8597e","name":"Pug - Confluence Dogfood","primary":false,"url":"https://pug.jira.com/wiki","requireCredentials":false},{"id":"ca4857c9-5578-33e5-b17c-bb2605020e76","name":"JDOG - JIRA Team Dogfood","primary":false,"url":"https://jdog.jira-dev.com","requireCredentials":false},{"id":"92004b08-5657-3048-b5dc-f886e662ba15","name":"fisheye","primary":true,"url":"https://fisheye.dev.internal.atlassian.com","requireCredentials":false},{"id":"ee3024d1-2cb6-392e-892f-5e371515cbbf","name":"confluence-bamboo","primary":false,"url":"https://confluence-bamboo.internal.atlassian.com","requireCredentials":false},{"id":"61b6191d-d412-3043-a96c-75b7bceaed1f","name":"Ecosystem JIRA","primary":false,"url":"https://ecosystem.atlassian.net","requireCredentials":false},{"id":"62153ed0-1c05-3f55-886f-d46708ffcc91","name":"Stash Dev","primary":true,"url":"https://stash.dev.internal.atlassian.com","requireCredentials":false},{"id":"cecb847c-a45b-3919-b565-44cbd9367482","name":"Stash","primary":false,"url":"https://stash.atlassian.com","requireCredentials":false},{"id":"c37fbd42-9b1d-3ae5-ad73-b39eb7f61cf1","name":"atlaseye","primary":false,"url":"https://atlaseye.atlassian.com","requireCredentials":false},{"id":"bac636e3-290e-36d2-acbd-2fc45e4fafd9","name":"devtools-bamboo","primary":false,"url":"https://devtools-bamboo.internal.atlassian.com","requireCredentials":false}] {code}

It's doesn't appear to expose any authentication data, but we don't have basic auth set up on any of these applinks.