PT-2009-40: JIRA sensitive information disclosure Affected SoftwareJIRA Versions prior to 3.13.4-#354 Product Link: http://www.atlassian.com/software/jira/Severity Rating Severity: Low Impact: Sensitive information disclosure Attack Vector: RemoteCVSS v2Base Score: 0.0 Temporal Score: 0.0 Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:N/E:P/RL:O/RC:C) CVE: not assignedSoftware DescriptionJIRA lets you prioritise, assign, track, report and audit your 'issues,' whatever they may be — from software bugs and help-desk tickets to project tasks and change requests.Vulnerability DescriptionPositive Technologies Research Team has discovered a sensitive information disclosure vulnerability in JIRA.The vulnerability was detected when calling "/secure/ConfigureReleaseNote.jspa" script.An attacker who successfully exploited this vulnerability could identify web server root folder and other server sensitive data.SolutionUpdate to lastest version.WorkaroundYou can workaround the problem by editing your atlassian-jira/500page.jsp and removing this line: ... <li><webwork:text name="'system.error.step3'"><webwork:param name="'value0'"><% out.println(extendedSystemInfoUtils.getLogPath());%></webwork:param></webwork:text> ...Disclosure Timeline06/02/2009 - Vendor notified 06/03/2009 - Vendor response 06/04/2009 - The vendor confirmed the vulnerability and issued a workaround decision 06/24/2009 - Requested status update from vendor 06/24/2009 - Public disclosureCreditsThis vulnerability was discovered by Dmitry Evteev (Positive Technologies Research Team) using professional network security scanner MaxPatrol.Referenceshttp://en.securitylab.ru/lab/PT-2009-40 http://www.ptsecurity.ru/advisory.aspComplete list of vulnerability reports published by Positive Technologies Research Team:http://en.securitylab.ru/lab/ http://www.ptsecurity.ru/advisory.asp