Information Disclosure ever after CVE-2020-14179/JRASERVER-71536

h3. Issue Summary

Unauthorized access to data from the following API even if the public.access.disabled is enabled.
/rest/api/2/projectCategory
/rest/api/2/resolution
/rest/menu/latest/admin
h3. Steps to Reproduce

• Install Jira 8.13.9 with H2 database
• Create a project and some Project categories
• Run the API call “http://localhost:48139/j8139/rest/api/2/projectCategory” without the username and password.

h3. Expected Results

• Unauthorised access and the data should not be visible.

h3. Actual Results

• Project categories, resolutions, and usernames are listed even if the API is not authenticated

h3. Workaround

Anonymous access to endpoints listed below is restricted starting Jira 9.0. On future Jira 8.x releases and all LTS releases it is possible to restrict anonymous access with feature flags.

On Jira 8.x to restrict anonymous access to the endpoint you need to disable [feature flag|https://confluence.atlassian.com/jirakb/enable-dark-feature-in-jira-959286331.html] aka provide {{<feature.flag>.disabled}}

On Jira 9.0 you need to enable the same feature flag aka provide {{<feature.flag>.enabled}}

{{}}

You can use given feature flags:

/rest/api/2/projectCategory - com.atlassian.jira.security.endpoint.anonymous.access.projectCategory  (Anonymous access disabled completely)

/rest/api/2/resolution -  com.atlassian.jira.security.endpoint.anonymous.access.resolution (Anonymous access blocked only when there is no projects available for anonymous users)

/rest/menu/latest/admin - There is currently no feature flag to disable anonymous access, please check linked ticket in “duplicates by” to track this problem.

On Jira 9.0 to Jira 9.5 will be possible to enable anonymous for listed endpoints but post 9.5 anonymous access will be disabled permanently.