H3-2025-0039
Jira Unauthenticated Resolutions Exposure
Category | SECURITY_MISCONFIGURATION |
Base Score | 3.0 |
Description
The Jira Unauthenticated Resolutions vulnerability involves the exposure of critical configuration data through the /rest/api/2/resolution endpoint without sufficient authentication checks. This vulnerability is detected when an unauthenticated GET request returns a successful HTTP 200 response and reveals internal metadata including resolution information and security tokens, such as the atlassian.xsrf.token. Attackers can exploit this weakness by sending crafted requests that bypass normal authentication, permitting them to harvest details about the project’s resolution states and workflow configurations. Such information could be used to further profile the application environment, potentially leading to tailored attacks. The absence of proper access controls on a seemingly low risk endpoint discloses internal configuration which, if combined with other security oversights, may lead to unauthorized access to more sensitive functions of the system. This vulnerability is confirmed by analyzing response headers and body content that contain specific tokens and keywords, highlighting the misconfiguration in access controls. Moreover, the vulnerability is emblematic of a larger pattern of API security misconfigurations found in some deployments, where endpoints intended for administrative use are inadvertently exposed to unauthenticated users. As this information can be leveraged by threat actors for additional attacks, it ultimately undermines the security posture of the Jira instance.
Impact
Exploitation may allow attackers to access internal configuration details and security tokens, which can be used for reconnaissance and could lead to further unauthorized actions. In severe cases, attackers may combine this information with other vulnerabilities to gain broader access to the system, potentially leading to further exploitation of administrative functions, credential stuffing, or targeted phishing attacks.