Jira Projects accessible anonymously
Description
The Jira instance has been configured to allow anonymous (unauthenticated) access to one or more projects. This means that anyone on the network can view project information, issues, and potentially other sensitive data without providing credentials. Anonymous access is often enabled for public-facing projects but may be unintentionally configured for internal or sensitive projects.
Remediation
Review all Jira projects to determine which ones require anonymous access. For projects containing sensitive information, disable anonymous access through the Jira administration console:
1. Navigate to Administration → System → Global permissions
2. Remove the 'Anyone' group from the 'Browse Users' and 'Create Issues' permissions if not required globally
3. For individual projects, go to Project Settings → Permissions
4. Review the permission scheme and ensure anonymous users do not have 'Browse Projects' or other sensitive permissions
5. Consider implementing a permission scheme that requires authentication for all internal projects
If anonymous access is required for specific public-facing projects, ensure that no sensitive information is stored in those projects and implement appropriate monitoring for suspicious activity.