A worklog information disclosure vulnerability exists in Atlassian Jira 7.6.4, from version 7.6.4 to 8.1.0. Authenticated users can view worklog details for issues they do not have permission to view via the
/rest/api/2/worklog/list API endpoint. They can also obtain a list of worklog ID’s via
Atlassian Jira 7.6.4 Atlassian Jira 8.1.0
4.3 - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
CWE-862 - Missing Authorization
An attacker can use this vector to view details for arbitrary worklog entries. In order for the exploit to run successfully, the user must have a valid session.
Submit a POST to
/rest/api/2/worklog/list with the following body:
2019-05-14 - Vendor Disclosure
2019-08-14 - Vendor Patched
2019-09-16 - Public Release
Discovered by Ben Taylor of Cisco ASIG.