Atlassian.JIRA.500.Page.Information.Disclosure
Description
JIRA is a proprietary issue tracking product, developed by Atlassian, commonly used for bug tracking, issue tracking, and project management.
Jira is prone to an information disclosure vulnerability because the application fails to sufficiently sanitize user-supplied. Remote attackers can visit the ConfigureReport.jspa page with an invalid reportKey parameter which will trigger the display of a standard JIRA 500 page. This could allow the attacker to view sensitive information regarding the underlying web server.
Affected Products
Atlassian JIRA 4.0.1 and earlier.
Impact
This vulnerability could allow the attacker to view sensitive information regarding the underlying web server.
Recommended Actions
Follow the instructions in the vendor's knowledge base (https://confluence.atlassian.com/display/JIRAKB/Remove+information+from+the+500+page) and modify 500page.jsp, or upgrade to JIRA versions later than 4.0.1
Telemetry
Coverage
IPS (Regular DB) | |
IPS (Extended DB) |