Anonymous users able to see shared filters, dashboards, or project issues in Jira server
Whether the user is logged in or not in Jira applications they are able to see some shared filters and/or dashboards and/or project issues. Basically, the instance is externally exposed to non-logged users. There's nothing logged in atlassian-jira.log.
Every access to Jira applications is performed as a given user. If you're not logged in, the system automatically uses "anonymous" as user. This is important because filters, dashboards and permission schemes are able to grant privileges to groups and sets of users. One of those groups is anyone - this set of users includes the 'anonymous' user. So, if you grant it any permission or share privilege your instance will be partially exposed.
If you use Jira 8.4 and later than several security fixes have been introduced to remedy the issue. Read about the changes here.
Filters and Dashboards
Adjust the filter or dashboard so that it is no longer shared with Anyone or Public.
- To share with all logged in users select a group containing all Jira users.
- You may need to select multiple groups if you do not have a single group containing all users
- As of Jira 7.2 you are able to select "Any logged-in user"
Jira Administrators are able to find Filters and Dashboards available to anonymous users by looking for Shared with all users or Shared with the public on the 'Manage Filters' and 'Manage Dashboards' pages. The administrator can contact the filter or dashboard owner to change the share, or the administrator can take ownership and adjust the share. See the following knowledge base article to retrieve the list from the database: JIRA get list of all filters shared with everyone
- Manage Filters and Manage Dashboards are located in Jira Administration
- Versions older than 6.3 - Located in Jira Administration > User Management
- Versions 6.3 and newer - Located in Jira Administration > System
Review each Permission Scheme and adjust permissions granted to Anyone. For example, remove "Anyone" from the "Browse Project" permission if issues are visible without being logged in.