CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
EPSS
Percentile
47.2%
Users without session information should be pushed to the login page.
Affected versions of Atlassian Jira Server and Data Center allow remote attackers to view sensitive information via an Information Disclosure vulnerability in Login.
Affected versions:
Fixed versions:
Notes:
If the fix is causing problems it can be disabled by [adding to Jira a dark feature flag|https://confluence.atlassian.com/jirakb/enable-dark-feature-in-jira-959286331.html]
{code:java}
jira.redirect.anonymous.404.errors.disabled
{code}
The fix is available in LTS versions - 7.13.15+ and 8.5.6+ but will be disabled. The fix can be enabled by [adding to Jira a dark feature flag|https://confluence.atlassian.com/jirakb/enable-dark-feature-in-jira-959286331.html]
{code:java}
jira.redirect.anonymous.404.errors.enabled{code}
Both feature flags can be [added by admin via site <jira_directory>/secure/SiteDarkFeatures!default.jspa
|https://confluence.atlassian.com/jirakb/enable-dark-feature-in-jira-959286331.html]
Vendor | Product | Version | CPE |
---|---|---|---|
atlassian | jira_data_center | * | cpe:2.3:a:atlassian:jira_data_center:*:*:*:*:*:*:*:* |
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
EPSS
Percentile
47.2%