Atlassian Jira insecure REST permissions
Description
Atlassian Jira is a widely-used issue tracking and project management platform that provides REST APIs for remote interaction with issues, workflows, and other features. This vulnerability occurs when Jira's REST API endpoints are accessible without requiring authentication, allowing anonymous users to perform operations that should be restricted to authenticated users only.
The scanner has identified that the target Jira instance permits unauthenticated access to its REST APIs, enabling any remote user to interact with the system without providing credentials.
Remediation
Immediately configure authentication for all Jira REST API endpoints to prevent unauthorized access. Atlassian Jira supports multiple authentication methods:
1. Enable Basic Authentication: Configure HTTP Basic authentication to require username and password credentials for all API requests. This is suitable for server-to-server integrations where credentials can be securely stored.
2. Implement OAuth Authentication: For more secure implementations, especially for third-party integrations, configure OAuth 1.0a or OAuth 2.0 authentication. This provides token-based authentication without exposing user credentials.
3. Review API Permissions: After enabling authentication, verify that API access permissions are properly configured in Jira's permission schemes to ensure users can only access resources appropriate to their role.
4. Disable Anonymous Access: In Jira Administration, navigate to System → General Configuration and ensure that anonymous access is disabled for your instance unless specifically required for public-facing features.
Consult the official Atlassian documentation for detailed implementation steps specific to your Jira version and deployment model (Server, Data Center, or Cloud).