Direct access to issue via url discloses structure without authentication

2012-03-05T10:35:07
ID ATLASSIAN:JRASERVER-27386
Type atlassian
Reporter nicolinux
Modified 2017-02-20T00:43:19

Description

If an issue is accessed via the direct url an error message discloses if the issue is existent or not - even when the use isn't logged-in. In contrast, an existing issue redirects to the login form. This knowledge may open an attack vector on private Jira instances that require authentication.