Jira - Information Disclosure (CVE-2020-14179)

Jira is affected by an Information Disclosure vulnerability, located in the /secure/QueryComponent!Default.jspa endpoint. This allows attackers to read sensitive information from the target system by sending a specially crafted HTTP GET request to the vulnerable endpoint. An unauthenticated attacker can view custom field names and custom SLA names from the Jira server and can potentially be a starting point for exposing an additional attack surface.

Sniper can read arbitrary files from the target system and extract them as evidence.

The risk exists that a remote unauthenticated attacker could exploit this vulnerability to view custom field names and custom SLA names from the QueryComponent JSON file located on the file system of the server.

Upgrade Jira to the latest version.

https://nvd.nist.gov/vuln/detail/CVE-2020-14179

https://jira.atlassian.com/browse/JRASERVER-71536