Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
atlassian3c42dc5cab19JRASERVER-38101
HistoryApr 30, 2014 - 3:13 p.m.

Jira outputs a stack trace to the screen when an error is encountered

2014-04-3015:13:34
3c42dc5cab19
jira.atlassian.com
12
JSON

{panel}
h3. Problem
When users are greeted by the error 500 page, they can click on the {{Request assistance}} link to expand and see the long stack trace of the error that occurs. The information is not useful to most of the end users but it’s not possible to hide it from them.

h3. Suggestion
To have an option to hide any technical information about an error to users or feature to set a generic error page to users.

(flag) In some cases, no error is visible in the GUI but still can be captured by the browser’s F12 tools. The bug fix should take this into account as well.

h3. Remarks
The stack trace does not contain sensitive information about the application that cannot be gathered from the product’s source code, which is available to any paying customer.
{panel}

{panel:title=Original description}
When an error condition is triggered by a user or black-box security scanner such as Acunetix, the system provides an appropriate error page. However, the error page includes the stack trace which the scanner will determine to be a potential Information Disclosure vulnerability because the stack trace may include information that can be used by an attacker to refine their attack or information gathering efforts.

Reproduction (one example) can be performed using the following steps:

1.) As a user, log in to Jira and nagivate to /charts by changing the url to https://<yourjiradomain>/charts

2.) Click the “Request Assistance” link to view the stack trace

This is an example request sent to Jira from Acunetix which produced the problem:

GET /charts HTTP/1.1
Pragma: no-cache
Cache-Control: no-cache
Cookie: JSESSIONID=9682349A6ADB9BDC7F9923C26E05C9BE;
atlassian.xsrf.token=B50V-89VK-EG1H-RFHM|670c916d8653f5135e09afda57b558400b095218|lin
Host: jira-test.ksc.nasa.gov
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/28.0.1500.63 Safari/537.36
Acunetix-Product: WVS/9.0 (Acunetix Web Vulnerability Scanner - NORMAL)
Acunetix-Scanning-agreement: Third Party Scanning PROHIBITED
Acunetix-User-agreement: http://www.acunetix.com/wvs/disc.htm
Accept: /
{panel}

Affected configurations

Vulners
Node
atlassianjira_data_centerRange6.2.2
OR
atlassianjira_data_centerRange7.9.0
OR
atlassianjira_data_centerRange8.4.2
OR
atlassianjira_data_centerRange7.13.11
OR
atlassianjira_data_centerRange8.11.0
OR
atlassianjira_data_centerRange<8.17.0
JSON