PT-2009-40: JIRA sensitive information disclosure

Affected Software

Versions prior to 3.13.4-#354

Product Link:

Severity Rating

Severity: Low
Impact: Sensitive information disclosure
Attack Vector: Remote


Base Score: 0.0
Temporal Score: 0.0
Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:N/E:P/RL:O/RC:C)

CVE: not assigned

Software Description

JIRA lets you prioritise, assign, track, report and audit your 'issues,' whatever they may be — from software bugs and help-desk tickets to project tasks and change requests.

Vulnerability Description

Positive Technologies Research Team has discovered a sensitive information disclosure vulnerability in JIRA.

The vulnerability was detected when calling "/secure/ConfigureReleaseNote.jspa" script.

An attacker who successfully exploited this vulnerability could identify web server root folder and other server sensitive data.


Update to lastest version.


You can workaround the problem by editing your atlassian-jira/500page.jsp and removing this line:
<li><webwork:text name="'system.error.step3'"><webwork:param name="'value0'"><% out.println(extendedSystemInfoUtils.getLogPath());%></webwork:param></webwork:text>

Disclosure Timeline

06/02/2009 - Vendor notified
06/03/2009 - Vendor response
06/04/2009 - The vendor confirmed the vulnerability and issued a workaround decision
06/24/2009 - Requested status update from vendor
06/24/2009 - Public disclosure


This vulnerability was discovered by Dmitry Evteev (Positive Technologies Research Team) using professional network security scanner MaxPatrol.


Complete list of vulnerability reports published by Positive Technologies Research Team: