PT-2009-40: JIRA sensitive information disclosure
Versions prior to 3.13.4-#354
Impact: Sensitive information disclosure
Attack Vector: Remote
Base Score: 0.0
Temporal Score: 0.0
CVE: not assigned
JIRA lets you prioritise, assign, track, report and audit your 'issues,' whatever they may be — from software bugs and help-desk tickets to project tasks and change requests.
Positive Technologies Research Team has discovered a sensitive information disclosure vulnerability in JIRA.
The vulnerability was detected when calling "/secure/ConfigureReleaseNote.jspa" script.
An attacker who successfully exploited this vulnerability could identify web server root folder and other server sensitive data.
Update to lastest version.
You can workaround the problem by editing your atlassian-jira/500page.jsp and removing this line:
<li><webwork:text name="'system.error.step3'"><webwork:param name="'value0'"><% out.println(extendedSystemInfoUtils.getLogPath());%></webwork:param></webwork:text>
06/02/2009 - Vendor notified
06/03/2009 - Vendor response
06/04/2009 - The vendor confirmed the vulnerability and issued a workaround decision
06/24/2009 - Requested status update from vendor
06/24/2009 - Public disclosure
This vulnerability was discovered by Dmitry Evteev (Positive Technologies Research Team) using professional network security scanner MaxPatrol.
Complete list of vulnerability reports published by Positive Technologies Research Team: