I am referring to this page
I have tried testing the call in Postman. Even before the workaround, I get a 403 (Forbidden)...
i do the workaround and get the same error
Please advise if the above is the expected behaviour before the fix?
Hi @Tasneem Bhyat ,
Successful exploitation of the vulnerability requires Jira Administrator credentials in the request. If the request doesn't include auth headers for an account that has Jira Administrator permission, it will return a 403.
Once the workaround is applied, 403 will be returned even if proper credentials are included in the request.
Thank you very much for the reply. I did a call in Postman to the endpoint with my credentials (I am a JIRA Administrator). Before the change I get a 403. And there was nothing else in the web.xml blocking that endpoint. We are using JIRA Server version 7.3.8.
I tried doing a POST with the same url...then I get a 500 (due to missing content)...but then I put the endpoint with a POST in the web.xml...and then restart JIRA, I then get a 403.
Please advise if this is normal behaviour.