"Contact Administrators" on JIRA Page Footer Throws a Blank List
Symptoms
- The instance runs a JIRA version newer than 4.1.1.
- You click on the button "Contact Administrators" at the footer of any JIRA's page but the administrators list are not displayed. You only a see a blank list.
Anything else appears on system logs.
Cause
From version 4.1.1 JIRA comes with the option jira.paths.set.allowed inside $JIRA_INSTALL/atlassian-jira/WEB-INF/classes/jira-application.properties
disabled by default due to the following security vulnerability: XSS and Privilege Escalation Vulnerabilities in JIRA.
Resolution
- Firstly, understand the security vulnerabilities that this options leads if enabled. Do not proceed if you believe that your instance won't be safe. Please see JRA-21004.
- Edit
$JIRA_INSTALL/atlassian-jira/WEB-INF/classes/jira-application.properties
, uncomment and set the line jira.paths.set.allowed as true: jira.paths.set.allowed=true. - Restart the instance confirm that the Contact Administrators link is working now.
Last modified on Feb 26, 2016
Powered by Confluence and Scroll Viewport.