Sensitive data exposure via /secure/QueryComponent!Default.jspa endpoint on ████████

**Description:** Hi, While going through the testing of DoD assets, I have came across a subdomain that is vulnerable to CVE-2020-14179. Some of the internal fields that are exposed are Project, Status, Limits, Creator, Query, Created Date, Updated Date, Resolution Date, etc. ## References https://jira.atlassian.com/browse/JRASERVER-71536 https://www.cvedetails.com/cve/CVE-2020-14179 ## Impact It allows unauthenticated attackers like me to view custom field names and custom SLA names via an Information Disclosure vulnerability in the /secure/QueryComponent!Default.jspa endpoint. ## System Host(s) ███ ## Affected Product(s) and Version(s) ## CVE Numbers CVE-2020-14179 ## Steps to Reproduce 1. Open browser 2. Hit endpoint */jira/secure/QueryComponent!Default.jspa* in the target 3. Observe the results. ## Suggested Mitigation/Remediation Actions