Unauthenticated Access to JIRA Projects - carnal0wnage/J-PWN GitHub Wiki

Unauthenticated Access to JIRA Projects

Category: [Info Disclosure]

module name: check_unauthenticated_projects

url: /rest/api/2/project?maxResults=100

200 but no shared projects

INFO: Checking for Unauthenticated Access to JIRA Projects
[Testing URL]: http://JIRASERVER/rest/api/2/project?maxResults=100
- No Projects found (Empty Results).

200 with shared projects

INFO: Checking for Unauthenticated Access to JIRA Projects
[Testing URL]: https://JIRASERVER/rest/api/2/project?maxResults=100

+ Unauthenticated Access to JIRA Projects Detected
  URL: https://JIRASERVER/rest/api/2/project?maxResults=100

  Projects Details:
    - ID: 11256
      Key: IT
      Name: IT
      Type: business
      API URL: https://JIRASERVER/rest/api/2/project/10205

References:

https://support.atlassian.com/jira-cloud-administration/docs/allow-anonymous-access-to-projects/