Does the JQL (Jira Query Language) feature in Jira pose a security risk to my setup?

The Jira Query Language (JQL) is utilized in the ‘Advanced Search’ feature to extract data from my Jira database and resembles SQL in its structure. I have the capability to generate a URL that includes a full JQL query. For instance:

https://[mysite.com]/issues/?jql=project%20%3D%20PVZ%20AND%20resolution%20%3D%20Unresolved%20ORDER%20BY%20priority%20DESC

Even without being logged into the system, executing this query accesses the database and returns a response. For example, if I run the above query on the Atlassian demo site, the response I receive is:

The value 'PVZ' does not exist for the field 'project'.
No issues were found to match your search. Try logging in to see more results.

Does this pose a security risk? Could I inadvertently expose sensitive Jira information by enabling this feature? Is there a possibility for SQL injection via JQL? Can I restrict this feature for users who are not logged in? Would it be advisable to disable it for users who aren’t authenticated?

jql inherently doesn’t have sql injection risks, since it’s designed only to query data already accessible based on user’s permissions, not to manipulate the underlying db. make sure permissions are configured correctly, so unauthenticated users can’t access sensitive info. review who can see what, that’ll help mitigate risk.

you should def check your jira settings to ensure only authenticated users can execute those jql querries. also audit the permissions reguarly to avoid exposure of data accidentally. if configured right, jql is pretty safe. still, keeping things locked down helps.