Skip to content

H3-2025-0040

Jira Unauthenticated Access to Screens API
Category SECURITY_CONTROLS
Base Score 5.0

Description

The Jira Unauthenticated Access to Screens vulnerability is a security weakness where an attacker can access the screens endpoint of Jira without proper authorization. In a typical configuration, privileged endpoints such as /rest/api/2/screens are expected to be protected by adequate access control requiring authentication or proper tokens. However, due to misconfiguration or design oversights, the API responds with data that includes screen details even for unauthenticated requests. This issue can lead to exposure of sensitive configuration details relating to project screens, layouts, and associated metadata. Security boundaries are bypassed because the API does not enforce necessary authentication mechanisms or properly verify Cross-Site Request Forgery (XSRF) tokens. The response contains identifiable JSON fields such as "id", "name", and "description" which can help an attacker map out the internal project configurations. In-depth exploitation of this vulnerability might allow additional reconnaissance enabling the attacker to better understand system architecture and potentially identify further weaknesses. Although the immediate risk may be limited to information disclosure, it can serve as a preliminary step for more targeted attacks. The existence of such accessible endpoints illustrates lapses in security configuration and highlights the critical importance of enforcing strict authentication and authorization controls across all components exposed via web services.

Impact

If exploited, attackers can collect sensitive configuration information regarding Jira screens without any form of authentication, which could allow them to identify potential security gaps or plan further targeted attacks. The exposure can lead to unauthorized access to project details and aid in mapping the overall system architecture, increasing the risk of subsequent attacks that may compromise data integrity or confidentiality.

References