Affected versions of Atlassian Jira Server and Data Center allow remote, unauthenticated attackers to view custom field names and custom SLA names via an Information Disclosure vulnerability

[h4ckboy19]

Naman Shah

BUG --> INFORMATION DISCLOUSER

Hello team,My name is Naman.I have found information disclouser on your jira instance

Summary:

Affected versions of Atlassian Jira Server and Data Center allow remote, unauthenticated attackers to view custom field names and custom SLA names via an Information Disclosure vulnerability

in the /secure/QueryComponent!Default.jspa endpoint. Additional details from Atlassian and related CVE-2020-14179

the Jira instance on https://blockstack.atlassian.net is vulnerable to CVE-2020-14179 which allows remote, unauthenticated attackers to view custom field names and custom SLA names via an Information Disclosure vulnerability

Steps To Reproduce:

Navigate to https://blockstack.atlassian.net/QueryComponent!Default.jspa

Supporting Material/References:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14179 https://hackerone.com/reports/1003980 https://hackerone.com/reports/988550

IMPACT

the Jira instance on https://blockstack.atlassian.net is vulnerable to CVE-2020-14179 which allows remote, unauthenticated attackers to view custom field names and custom SLA names via an Information Disclosure vulnerability

Remediation

Upgrading your jira instance to the most up-to-date one. Best Regards, Naman Shah

[diwakergupta]

Thanks for the report. Issues in this repository are exclusively for bugs, features and enhancements to the Stacks Blockchain. Please refer to the bug bounty program on H1 for these types of disclosures.

[blockstack-devops]

This issue has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.