📚 U.S. Dept Of Defense: [███████] Information disclosure due unauthenticated access to APIs and system browser functions

Description: Multiple information exposure vulnerabilites were identified in a Jira Server instance (unauthenticated access to APIs and system browser functions). This report describes a combination of two separate vulnerabilities in two separate services This chain of vulnerabilities allows unauthenticated attacker to run arbitrary code on a server inside the company's internal network. the vulnerable registered as references JRASERVER-73060 References https://jira.atlassian.com/browse/JRASERVER-73060 https://nvd.nist.gov/vuln/detail/CVE-2020-14179 Impact Unauthorised access and the data should not be visible. Project categories, resolutions, and usernames are listed even if the API is not authenticated System Host(s) ██████ Affected Product(s) and Version(s) CVE Numbers CVE-2020-14179 Steps to Reproduce Navigate visit the target scope is https://█████████/secure/JiraCreditsPage!default.jspa And now we found a directory is jira sensitive Lets send a curl request to the ?maxResults=1000 endpoint, as shown below. In the request, point the post request to the server address you want to send the request to: Here's the HTTP Parameter request that the issue: GET /rest/menu/latest/admin HTTP/1.1 Host: ███ Connection: keep-alive Pragma: no-cache Cache-Control: no-cache sec-ch-ua-platform: "Mac OS" Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors * https://██████/secure/JiraCreditsPage!default.jspa * https://███████/rest/menu/latest/admin?maxResults=1000 Suggested... ...