Uploaded image for project: 'Crucible'
  1. Crucible
  2. CRUC-8485

The bundled version of Atlassian Navigator Links contained an incorrect authorization check - CVE-2020-4026

XMLWordPrintable

      The bundled version of Atlassian Navigator Links plugin in Atlassian Fisheye before version 4.8.2 allows remote attackers to enumerate all linked applications, including those that are restricted or otherwise hidden, through an incorrect authorization check. Additional details about the issue in the Atlassian Navigator Links plugin can be found below.

      The CustomAppsRestResource list resource in Atlassian Navigator Links before version 3.3.23, from version 4.0.0 before version 4.3.7, from version 5.0.0 before 5.0.1, and from version 5.1.0 before 5.1.1 allows remote attackers to enumerate all linked applications, including those that are restricted or otherwise hidden, through an incorrect authorization check.

            [CRUC-8485] The bundled version of Atlassian Navigator Links contained an incorrect authorization check - CVE-2020-4026

            Marek Parfianowicz made changes -
            Labels Original: CVE-2020-4026 advisory advisory-released cvss-medium release-48x release-490 security vulnerable-components New: CVE-2020-4026 advisory advisory-released cvss-medium release-48x security vulnerable-components
            Marek Parfianowicz made changes -
            Labels Original: CVE-2020-4026 advisory advisory-released cvss-medium release-490 security vulnerable-components New: CVE-2020-4026 advisory advisory-released cvss-medium release-48x release-490 security vulnerable-components
            Marek Parfianowicz made changes -
            Labels Original: CVE-2020-4026 advisory advisory-released cvss-medium security vulnerable-components New: CVE-2020-4026 advisory advisory-released cvss-medium release-490 security vulnerable-components
            Marek Parfianowicz made changes -
            Fix Version/s Original: 4.9.0 [ 90696 ]
            David Black made changes -
            Labels Original: CVE-2020-4026 advisory advisory-to-release cvss-medium security vulnerable-components New: CVE-2020-4026 advisory advisory-released cvss-medium security vulnerable-components
            David Black made changes -
            Security Original: Reporter and Atlassian Staff [ 10751 ]
            David Black made changes -
            Link New: This issue relates to FE-7299 [ FE-7299 ]
            David Black made changes -
            Link Original: This issue is cloned from FE-7299 [ FE-7299 ]

            David Black added a comment -

            This is an independent assessment and you should evaluate its applicability to your own IT environment.
            CVSS v3 score: 4.3 => Medium severity

            Exploitability Metrics

            Attack Vector Network
            Attack Complexity Low
            Privileges Required Low
            User Interaction None

            Scope Metric

            Scope Unchanged

            Impact Metrics

            Confidentiality Low
            Integrity None
            Availability None

            https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

            David Black added a comment - This is an independent assessment and you should evaluate its applicability to your own IT environment. CVSS v3 score: 4.3 => Medium severity Exploitability Metrics Attack Vector Network Attack Complexity Low Privileges Required Low User Interaction None Scope Metric Scope Unchanged Impact Metrics Confidentiality Low Integrity None Availability None https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
            David Black made changes -
            Resolution New: Fixed [ 1 ]
            Status Original: Needs Triage [ 10030 ] New: Closed [ 6 ]

              Unassigned Unassigned
              security-metrics-bot Security Metrics Bot
              Affected customers:
              0 This affects my team
              Watchers:
              1 Start watching this issue

                Created:
                Updated:
                Resolved: