What is changing?
JQL queries with issuekey or issue will be returning different error messages and status codes in case of nonexisting project or lack of permissions. The unauthorized user will get 400 status and message: "Issue does not exist or you do not have permission to see it.” instead of current behaviour where the error message exposes the existence of project/issue. The change also introduces warning messages for searches like issuekey in (…) where one or more of the given issuekeys do not exist. With the new behaviour, the user will get the response with status 200, existing issues, and the warning message with information about the issues that could not be found instead of failing the whole search as it was done till now.
Why is it changing?
This change is presented to prevent the possibility of enumeration issue keys and identifying project existence. After this change is rolled out, there will be no way for unauthorized users to recognize whether the issue/project does not exist or they have no permission to see it.
What do I need to do?
If your app uses JQL queries containing issuekey or issue you should check whether, in case of searching for a non-existing issue or issue that is not permitted to be seen, your app will handle the response correctly.
By when do I need to do it?
Because this is related to a security vulnerability with a short SLA, we will be rolling out this change in 1 month. Please have your apps updated by 2021-06-24T22:00:00Z.