nuclei-templates/cves/2019/CVE-2019-3401.yaml

id: CVE-2019-3401

info:
  name: Atlassian JIRA Information Exposure (CVE-2019-3401)
  author: TechbrunchFR,milo2012
  severity: info
  tags: cve,cve2019,jira,atlassian

requests:
  - method: GET
    path:
      - "{{BaseURL}}/secure/ManageFilters.jspa?filter=popular&filterView=popular"
    matchers:
      - type: word
        words:
          - '<span data-filter-field="owner-full-name">'
          - '<title>Manage Filters - Jira</title>'
        condition: and

# Remediation:
# Ensure that this permission is restricted to specific groups that require it.
# You can restrict it in Administration > System > Global Permissions.
# Turning the feature off will not affect existing filters and dashboards.
# If you change this setting, you will still need to update the existing filters and dashboards if they have already been
# shared publicly.
# Since Jira 7.2.10, a dark feature to disable site-wide anonymous access was introduced.
Update and rename vulnerabilities/jira/jira-unauthenticated-popular-filters.yaml to cves/2019/CVE-2019-3401.yaml 2021-06-24 11:22:04 +00:00			`id: CVE-2019-3401`
Create jira-unauthenticated-popular-filters.yaml If public sharing is ON it allows users to share dashboards and filters with all users including those that are not logged in. Those dashboard and filters could reveal potentially sensitive information. 2020-07-06 15:56:34 +00:00
			`info:`
Update and rename vulnerabilities/jira/jira-unauthenticated-popular-filters.yaml to cves/2019/CVE-2019-3401.yaml 2021-06-24 11:22:04 +00:00			`name: Atlassian JIRA Information Exposure (CVE-2019-3401)`
			`author: TechbrunchFR,milo2012`
misc changes 2021-02-10 16:37:17 +00:00			`severity: info`
Update and rename vulnerabilities/jira/jira-unauthenticated-popular-filters.yaml to cves/2019/CVE-2019-3401.yaml 2021-06-24 11:22:04 +00:00			`tags: cve,cve2019,jira,atlassian`
Update jira-unauthenticated-popular-filters.yaml 2020-07-06 15:58:12 +00:00
			`requests:`
Create jira-unauthenticated-popular-filters.yaml If public sharing is ON it allows users to share dashboards and filters with all users including those that are not logged in. Those dashboard and filters could reveal potentially sensitive information. 2020-07-06 15:56:34 +00:00			`- method: GET`
			`path:`
			`- "{{BaseURL}}/secure/ManageFilters.jspa?filter=popular&filterView=popular"`
			`matchers:`
			`- type: word`
			`words:`
Update and rename vulnerabilities/jira/jira-unauthenticated-popular-filters.yaml to cves/2019/CVE-2019-3401.yaml 2021-06-24 11:22:04 +00:00			`- '<span data-filter-field="owner-full-name">'`
			`- '<title>Manage Filters - Jira</title>'`
			`condition: and`
Create jira-unauthenticated-popular-filters.yaml If public sharing is ON it allows users to share dashboards and filters with all users including those that are not logged in. Those dashboard and filters could reveal potentially sensitive information. 2020-07-06 15:56:34 +00:00
			`# Remediation:`
			`# Ensure that this permission is restricted to specific groups that require it.`
			`# You can restrict it in Administration > System > Global Permissions.`
			`# Turning the feature off will not affect existing filters and dashboards.`
			`# If you change this setting, you will still need to update the existing filters and dashboards if they have already been`
			`# shared publicly.`
			`# Since Jira 7.2.10, a dark feature to disable site-wide anonymous access was introduced.`