Over the past few days I have received a number of emails in relation to a password reset from our JIRA installation. Initially the emails where in relation to a password reset for the admin account but then they were in relation to my own account which was worrying. We have noticed that my username has then been used to perform a brute force attack on various other web applications that we host.
I have discovered that the hacker requested the following URL: /jira/secure/IssueNavigator!executeAdvanced.jspa which results in an issue navigator screen with no information however when the manage option is selected it shows a list of user created filters and this shows the Owner's name and username.
Can this disclosure of information be prevented?
Are there other pages which users can access without being logged in and could potentially disclose information?
Here is an url what Atlassian does when security vulnerbilities are found.
https://confluence.atlassian.com/display/JIRA/Security+Advisories
If you have not done so, please contact support. There are security related tools that can access to pages, but they are only as good as the person designing the test cases.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.