The following security advisory was received informing us of a bypass that can allow attackers the ability to view all issues through any project within a Jira instance:
https://confluence.atlassian.com/jira/jira-service-desk-security-advisory-2019-11-06-979412717.html?utm_source=alert-email&utm_medium=email&utm_campaign=Jira%20Service%20Desk%20Server%20and%20Data%20Center-advisory_november-2019_EML-5814&jobid=104383358&subid=1333322718
One of the workarounds provided (Workaround 2) references a LocationMatch configuration that is very similar to a configuration to a .conf file through a prior security advisory (https://confluence.atlassian.com/jira/jira-service-desk-security-advisory-2019-09-18-976171274.html?utm_source=alert-email&utm_medium=email&utm_campaign=Jira%20Service%20Desk%20Server%20and%20Data%20Center-advisory_september-2019_EML-5414&jobid=104302939&subid=1333322718).
Will the application of the LocationMatch configuration as stated below cover Jira projects as well as Service Desk projects:
<LocationMatch "/(.*\.\.)">
Order Allow,Deny
Deny from all
</LocationMatch>
The workaround provided for the recent security advisory is as follows:
<LocationMatch "/servicedesk/.*\.jsp.*">
Order Allow,Deny
Deny from all
</LocationMatch>
Please advise.
