Unauthenticated user can check the whitelist rules for any URL

2019-07-09T20:54:49
ID ATLASSIAN:JRASERVER-69591
Type atlassian
Reporter mjohnson2@atlassian.com
Modified 2019-07-10T13:30:01

Description

h3. Issue Summary

This issue was discovered through our bug bounty program. An unauthenticated user can check if a URL is permitted through the whitelist.  {noformat} /rest/whitelist/1/check?url=http://www.atlassian.com{noformat} returns the whitelist rules associated with http://www.atlassian.com (inbound/outbound connections allowed) h3. Environment * Jira Server 8.2.1

h3. Steps to Reproduce # Start your Jira instance # In the terminal: {noformat} curl http://localhost/rest/whitelist/1/check?url=http://www.atlassian.com{noformat} or open in browser as unauthenticated user: {noformat} http://localhost/rest/whitelist/1/check?url=https%3A%2F%2Fjira.atlassian.com{noformat}

h3. Expected Results

Information unaccessible to unauthenticated user. h3. Actual Results

Unauthenticated user can see the whitelist rules associated with the supplied URL. h3. Workaround

None