Atlassian.JIRA.500.Page.Information.Disclosure

description-logoDescription

JIRA is a proprietary issue tracking product, developed by Atlassian, commonly used for bug tracking, issue tracking, and project management.
Jira is prone to an information disclosure vulnerability because the application fails to sufficiently sanitize user-supplied. Remote attackers can visit the ConfigureReport.jspa page with an invalid reportKey parameter which will trigger the display of a standard JIRA 500 page. This could allow the attacker to view sensitive information regarding the underlying web server.

affected-products-logoAffected Products

Atlassian JIRA 4.0.1 and earlier.

Impact logoImpact

This vulnerability could allow the attacker to view sensitive information regarding the underlying web server.

recomended-action-logoRecommended Actions

Follow the instructions in the vendor's knowledge base (https://confluence.atlassian.com/display/JIRAKB/Remove+information+from+the+500+page) and modify 500page.jsp, or upgrade to JIRA versions later than 4.0.1

Telemetry logoTelemetry

Coverage

IPS (Regular DB)
IPS (Extended DB)