Jira QueryComponent Information Disclosure (CVE-2020-14179)
Description
Atlassian Jira Server and Data Center contain an information disclosure vulnerability in the QueryComponent!Default.jspa endpoint that allows unauthenticated remote attackers to enumerate custom field names and custom SLA (Service Level Agreement) names. This endpoint fails to properly enforce authentication controls, exposing internal configuration details that should only be accessible to authenticated users.
Remediation
Apply the security patches provided by Atlassian for the affected Jira Server and Data Center versions as documented in JRASERVER-71536. Upgrade to a patched version that addresses CVE-2020-14179. As an immediate mitigation measure, restrict network access to the /secure/QueryComponent!Default.jspa endpoint using web application firewall (WAF) rules or reverse proxy configurations to block unauthenticated requests. Verify that authentication is properly enforced on all administrative and configuration endpoints after patching. Review access logs for any suspicious enumeration attempts targeting this endpoint prior to remediation.