Unauthenticated Access to JIRA Project Categories

Category: [Info Disclosure]

module name: check_unauthenticated_project_categories

url: /rest/api/2/projectCategory?maxResults=1000

[CG] you have to manually check these for anything interesting; I found very few that allowed unauthenticated viewing.

+ Unauthenticated Access to JIRA Project Categories Detected
++ Manually check these for Unauthenticated Access ++
  URL: http://jiraaserver/rest/api/2/projectCategory?maxResults=1000

  Project Categories Details:
    No project categories found.

+ Unauthenticated Access to JIRA Project Categories Detected
++ Manually check these for Unauthenticated Access ++
  URL: https://jiraserver/rest/api/2/projectCategory?maxResults=1000

  Project Categories Details:
    - ID: 10003
      Name: New Projects
      Description: New Projects
      API URL: https://jiraserver/rest/api/2/projectCategory/10003
    - ID: 10400
      Name: Personal Projects
      Description: 
      API URL: https://jiraserver/rest/api/2/projectCategory/10400
    - ID: 10328
      Name: Intern
      Description: 
      API URL: https://jiraserver/rest/api/2/projectCategory/10328

Manually checking

curl -k -v 'https://jiraserver/rest/api/2/projectCategory/10003'

<?xml version="1.0" encoding="UTF-8" standalone="yes"?><status><status-code>401</status-code><message>Client must be authenticated to access this resource.</message></status>

Unauthenticated Access to JIRA Project Categories - carnal0wnage/J-PWN GitHub Wiki

Unauthenticated Access to JIRA Project Categories

⚠️ GitHub.com Fallback ⚠️

Unauthenticated Access to JIRA Project Categories - carnal0wnage/J-PWN GitHub Wiki

Unauthenticated Access to JIRA Project Categories

⚠️ **GitHub.com Fallback** ⚠️

⚠️ GitHub.com Fallback ⚠️