Atlassian fingerprinting Jira or Confluence version as unauthenticated user
The Atlassian Jira or Confluence version can usually only be identified when logged in.
However, there is a way to apply a fingerprint to the Tomcat version by provoking an Tomcat error message.
Here is just one way for each.
On a Confluence server, you can force the error by querying the activity stream and using a null byte for the query parameter maxResults=%00 to get Apache Tomcat 400 error page stating the used Tomcat version.
wget https://domainname/rest/dashboardmacros/1.0/updates?maxResults=%00&tab=all&showProfilePic=true&labels=&spaces=&users=&types=&category=&spaceKey=
For a Jira server, call the contact administrator function with an simple HTTP GET instead of POST Request to get Apache Tomcat 405 error page stating the used Tomcat version.
It doesn’t matter whether the feature or the mail account is activated. We simply need the HTTP GET Method to an unprotected function
wget https://domainname/secure/ContactAdministrators.jspa
Atlassian usually updates the Tomcat version soon, at latest when a security update is included.
An enumeration based on shown Tomcat version means
For Confluence
| Tomcat version | Release date | --> | Confluence version | Release date |
|---|---|---|---|---|
| 9.0.76 | 2023-06-09 | --> | 8.5.0 | 21-Aug-2023 |
| 9.0.76 | 2023-06-09 | --> | 8.5.1 | 05-Sep-2023 |
| 9.0.76 | 2023-06-09 | --> | 8.5.2 | 03-Oct-2023 |
| 9.0.82 | 2023-10-13 | --> | 8.5.3 | 30-Oct-2023 |
| 9.0.82 | 2023-10-13 | --> | 8.5.4 | 05-Dec-2023 |
| 9.0.83 | 2023-11-15 | --> | 8.5.5 | 16-Jan-2024 |
| 9.0.83 | 2023-11-15 | --> | 8.5.6 | 08-Feb-2024 |
For Jira
| Tomcat version | Release date | --> | Jira version | Release date |
|---|---|---|---|---|
| 9.0.73 | 2023-03-03 | --> | 9.4.8 | 27-Jun-2023 |
| 9.0.75 | 2023-05-10 | --> | 9.4.9 | 31-Jul-2023 |
| 9.0.75 | 2023-05-10 | --> | 9.4.10 | 05-Sep-2023 |
| 9.0.80 | 2023-08-25 | --> | 9.4.11 | 04-Oct-2023 |
| 9.0.82 | 2023-10-13 | --> | 9.4.12 | 08-Nov-2023 |
| 9.0.82 | 2023-10-13 | --> | 9.4.13 | 05-Dec-2023 |
| 9.0.82 | 2023-10-13 | --> | 9.4.14 | 05-Dec-2023 |
| 9.0.84 | 2023-12-12 | --> | 9.4.15 | 03-Jan-2024 |
| 9.0.84 | 2023-12-12 | --> | 9.4.16 | 07-Feb-2024 |
| 9.0.84 | 2023-12-12 | --> | 9.4.17 | 12-Feb-2024 |
This is not a real vulnerability, but the fingerprint should be avoided. I reported the issue to Atlassians security e-mail contact and was requested to open a bugcrowd issue.
I don’t necessarily want to qualify for a reward, I want a secure software.
I have suggested a solution by using a modified Tomcat ServerInfo.properties.
Bugcrowd closed shortly the issue as P5 informational only.
Disclaimer
The information provided is released “as is” without warranty of any kind. The publisher disclaims all warranties, either express or implied, including all warranties of merchantability. No responsibility is taken for the correctness of this information. In no event shall the publisher be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if the publisher has been advised of the possibility of such damages.
The contents of this advisory are copyright (c) 2024 by psytester and may be distributed freely provided that no fee is charged for this distribution and proper credit is given.