5.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
0.006 Low
EPSS
Percentile
78.8%
h3. Issue Summary
Unauthorized access to data from the following API even if the public.access.disabled is enabled.
/rest/api/2/projectCategory
/rest/api/2/resolution
/rest/menu/latest/admin
h3. Steps to Reproduce
h3. Expected Results
h3. Actual Results
h3. Workaround
Anonymous access to endpoints listed below is restricted starting Jira 9.0. On future Jira 8.x releases and all LTS releases it is possible to restrict anonymous access with feature flags.
On Jira 8.x to restrict anonymous access to the endpoint you need to disable [feature flag|https://confluence.atlassian.com/jirakb/enable-dark-feature-in-jira-959286331.html] aka provide {{<feature.flag>.disabled}}
On Jira 9.0 you need to enable the same feature flag aka provide {{<feature.flag>.enabled}}
{{}}
You can use given feature flags:
/rest/api/2/projectCategory -Β com.atlassian.jira.security.endpoint.anonymous.access.projectCategoryΒ (Anonymous access disabled completely)
/rest/api/2/resolution - Β com.atlassian.jira.security.endpoint.anonymous.access.resolution (Anonymous access blocked only when there is no projects available for anonymous users)
/rest/menu/latest/admin - There is currently no feature flag to disable anonymous access, please check linked ticket in βduplicates byβ to track this problem.
On Jira 9.0 to Jira 9.5 will be possible to enable anonymous for listed endpoints but post 9.5 anonymous access will be disabled permanently.
CPE | Name | Operator | Version |
---|---|---|---|
jira data center | le | 8.13.9 |
5.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
0.006 Low
EPSS
Percentile
78.8%