Sensitive data exposure via https://████████.mil/secure/QueryComponent!Default.jspa - CVE-2020-14179

**Summary:** Information Disclosure vulnerability in outdated Jira. **Description:** Affected versions of Atlassian Jira Server and Data Center allow remote, unauthenticated attackers to view custom field names and custom SLA names via an Information Disclosure vulnerability in the /secure/QueryComponent!Default.jspa endpoint. Additional details from [Atlassian][1] and related [CVE-2020-14179][2] Screenshot: ██████████ JSON output of exposed information: █████ ## Step-by-step Reproduction Instructions 1. Visit URL: https://█████████.mil/secure/QueryComponent!Default.jspa to view exposed information in any web browser. ## Product, Version, and Configuration (If applicable) The affected versions are before version 8.5.8, and from version 8.6.0 before 8.11.1. Your currently instilled version is 8.11.0 which is displayed in page source - screenshot █████████ ## Suggested Mitigation/Remediation Actions Update affected Jira version according to vendor instructions. Thank you. [1]: https://jira.atlassian.com/browse/JRASERVER-71536 "JRASERVER-71536" [2]: https://nvd.nist.gov/vuln/detail/CVE-2020-14179 "CVE-2020-14179" ## Impact Unauthenticated attackers to view custom Jira field names and custom SLA names.