In our production environment, we've made changes in web.xml trying to block PUT Requests to the vulnerable endpoint, and we recibe a 403 code response, but in headers we can see Allow=POST,OPTIONS,PUT, and it was equal before the workaround.
Is it posible that the environment is not aplying the changes on web.xml??
In a test environment, we made the workaround and then we get a response with the message "The requested method PUT is not allowed for the URL /jira/rest/jira-importers-plugin/1.0/demo/create.". But in this case, when we remove the blocking code on web.xml and restart, the endpoint is still blocked. Is posible that, in this case, the environment is not aplying the changes?
We're not sure how to be sure that the endpoint is blocked.
Server version: 7.5.3
Thanks for the help.
Thanks for reaching out and first to act as a referance point the Security Advisory Workaround is posted here:
I recomend doing a quick double check on the syntax to verify it lines up with the KB, and verify that the file permissions were not altered in some way when editing, on windows the service user should have full control, on linux verifying Permissions settings can be seen here . Next verify the Jira application was restarted.
Then to verify the settings did take effect as covered in the KB:
try to send a PUT request to the end point<JIRA_BASE_URL>/rest/jira-importers-plugin/1.0/demo/create?key=NA&name=NA&lead=NA
Examples on how to format this using a curl command can be seen here:
If the setting was correctly applied the PUT wil fail
thanks for your response. Yes, i tried to send the request especified, but I'm not sure what is the result i have to recive. I attacj examples:
That's why I think that on Production, the changes have had no effect. In both environments I modified the same file with the same lines and restarted application.
Thanks for your attention.
When to use CSV importer When managing your processes in Jira, there are many occasions where you need to create a lot of tasks. Creating them one by one will cost you a lot of time and effort and i...
Connect with like-minded Atlassian users at free events near you!Find an event
Connect with like-minded Atlassian users at free events near you!
Unfortunately there are no Community Events near you at the moment.Host an event