The UniversalAvatarResource.getAvatars resource in Jira Server and Data Center before version 8.9.0 allows remote attackers to obtain information about custom project avatars names via an Improper authorization vulnerability.Referenceshttps://jira.atlassian.com/browse/JRASERVER-71185
