Jira Unauthenticated Dashboards

ID: jira-unauthenticated-dashboards

Severity: info

Author: TechbrunchFR

Tags: atlassian,jira

Description

YAML Source

id: jira-unauthenticated-dashboards

# If public sharing is ON it allows users to share dashboards and filters with all users including
# those that are not logged in. Those dashboards and filters could reveal potentially sensitive information.
info:
  name: Jira Unauthenticated Dashboards
  author: TechbrunchFR
  severity: info
  classification:
    cpe: cpe:2.3:a:atlassian:jira:*:*:*:*:*:*:*:*
  metadata:
    max-request: 1
    vendor: atlassian
    product: jira
    shodan-query: http.component:"Atlassian Jira"
  tags: atlassian,jira

http:
  - method: GET
    path:
      - "{{BaseURL}}/rest/api/2/dashboard?maxResults=100"

    matchers:
      - type: word
        words:
          - 'dashboards'
          - 'startAt'
          - 'maxResults'
        condition: and

# Remediation:
# Ensure that this permission is restricted to specific groups that require it.
# You can restrict it in Administration > System > Global Permissions.
# Turning the feature off will not affect existing filters and dashboards.
# If you change this setting, you will still need to update the existing filters and dashboards if they have already been
# shared publicly.
# Since Jira 7.2.10, a dark feature to disable site-wide anonymous access was introduced.
# digest: 4a0a0047304502204f428dcf3c153639d114b25c1df424bba2ad998e09714f567e3e0b032e78ac5b0221009c411bab628272789928b3245480ad7a4529df153eefa614707cbd750638717a:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

$ nuclei -u "URL" -t "http/vulnerabilities/jira/jira-unauthenticated-dashboards.yaml"

View on Github