The UniversalAvatarResource.getAvatars resource in Jira Server and Data Center before version 8.9.0 allows remote attackers to obtain information about custom project avatars names via an Improper authorization vulnerability.
[
{
"product": "Jira Server and Data Center",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "8.9.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
]