Atlassian Jira Manage Filters information disclosure
Description
Atlassian Jira is a widely-used issue tracking and project management platform. The Manage Filters page, accessible at /secure/ManageFilters.jspa, can be accessed without authentication in certain configurations and may expose sensitive organizational information. This page typically displays filter names, descriptions, and associated user details including employee names, email addresses, and internal project or product names. This information disclosure occurs when the page is publicly accessible or when filters are shared with broad permission groups like 'Everyone'.
Remediation
Implement the following measures to restrict access to sensitive filter information:
1. Review Filter Sharing Permissions:
Audit all existing filters and remove overly permissive sharing settings, particularly the 'Everyone' share option. Navigate to each filter and ensure it is only shared with specific users or groups who require access.
2. Disable Global 'Everyone' Sharing:
Remove the 'Everyone' share option from Jira to prevent users from creating publicly accessible filters. Follow the steps outlined in the Atlassian Knowledge Base article referenced in the Web References section.
3. Implement Access Controls:
Configure web server or application-level access controls to restrict access to /secure/ManageFilters.jspa to authenticated users only. Ensure anonymous access is disabled for this endpoint.
4. Regular Audits:
Periodically review filter permissions and sharing settings to ensure compliance with your organization's information security policies.