PT-2009-40: JIRA sensitive information disclosure

Affected Software

JIRA
Versions prior to 3.13.4-#354


Product Link:
http://www.atlassian.com/software/jira/

Severity Rating

Severity: Low
Impact: Sensitive information disclosure
Attack Vector: Remote

CVSS v2

Base Score: 0.0
Temporal Score: 0.0
Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:N/E:P/RL:O/RC:C)

CVE: not assigned

Software Description

JIRA lets you prioritise, assign, track, report and audit your 'issues,' whatever they may be — from software bugs and help-desk tickets to project tasks and change requests.

Vulnerability Description

Positive Technologies Research Team has discovered a sensitive information disclosure vulnerability in JIRA.

The vulnerability was detected when calling "/secure/ConfigureReleaseNote.jspa" script.

An attacker who successfully exploited this vulnerability could identify web server root folder and other server sensitive data.

Solution

Update to lastest version.

Workaround

You can workaround the problem by editing your atlassian-jira/500page.jsp and removing this line:
...
<li><webwork:text name="'system.error.step3'"><webwork:param name="'value0'"><% out.println(extendedSystemInfoUtils.getLogPath());%></webwork:param></webwork:text>
...

Disclosure Timeline

06/02/2009 - Vendor notified
06/03/2009 - Vendor response
06/04/2009 - The vendor confirmed the vulnerability and issued a workaround decision
06/24/2009 - Requested status update from vendor
06/24/2009 - Public disclosure

Credits

This vulnerability was discovered by Dmitry Evteev (Positive Technologies Research Team) using professional network security scanner MaxPatrol.

References

http://en.securitylab.ru/lab/PT-2009-40
http://www.ptsecurity.ru/advisory.asp

Complete list of vulnerability reports published by Positive Technologies Research Team:

http://en.securitylab.ru/lab/
http://www.ptsecurity.ru/advisory.asp

Threatscape