Uploaded image for project: 'Crucible'
  1. Crucible
  2. CRUC-8502

Information disclosure of product SEN via the x-asen response header - CVE-2020-14192

XMLWordPrintable

      Affected versions of Atlassian Fisheye and Crucible allow remote attackers to view a product's SEN via an Information Disclosure vulnerability in the x-asen response header from Atlassian Analytics.

      The affected versions are before version 4.8.4.

      Affected versions:

      • version < 4.8.4

      Fixed versions:

      • 4.8.4

            [CRUC-8502] Information disclosure of product SEN via the x-asen response header - CVE-2020-14192

            Marek Parfianowicz made changes -
            Labels Original: CVE-2020-14192 advisory cve-in-progress cvss-medium release-48x release-490 security New: CVE-2020-14192 advisory cve-in-progress cvss-medium release-48x security
            Marek Parfianowicz made changes -
            Labels Original: CVE-2020-14192 advisory cve-in-progress cvss-medium release-490 security New: CVE-2020-14192 advisory cve-in-progress cvss-medium release-48x release-490 security
            Marek Parfianowicz made changes -
            Labels Original: CVE-2020-14192 advisory cve-in-progress cvss-medium security New: CVE-2020-14192 advisory cve-in-progress cvss-medium release-490 security
            AB made changes -
            Labels Original: advisory cve-in-progress cvss-medium security New: CVE-2020-14192 advisory cve-in-progress cvss-medium security
            AB made changes -
            Summary Original: Information disclosure of product SEN via the x-asen response header - CVE-PENDING New: Information disclosure of product SEN via the x-asen response header - CVE-2020-14192
            AB made changes -
            Description Original: Affected versions of Atlassian Fisheye/Crucible allow remote attackers to view a product's SEN via an Information Disclosure vulnerability in the x-asen response header from Atlassian Analytics.

            The affected versions are before version 4.8.4.

            *Affected versions:*

             * version < 4.8.4

            *Fixed versions:*

             * 4.8.4
            		New: Affected versions of Atlassian Fisheye and Crucible allow remote attackers to view a product's SEN via an Information Disclosure vulnerability in the x-asen response header from Atlassian Analytics.

            The affected versions are before version 4.8.4.

            *Affected versions:*
             * version < 4.8.4

            *Fixed versions:*
             * 4.8.4
            AB made changes -
            Description Original: Affected versions of Atlassian FishEye/Crucible allow remote attackers to view a product's SEN via an Information Disclosure vulnerability in the x-asen response header from Atlassian Analytics.

            The affected versions are before version 4.8.4.

            *Affected versions:*

             * version < 4.8.4

            *Fixed versions:*

             * 4.8.4
            		New: Affected versions of Atlassian Fisheye/Crucible allow remote attackers to view a product's SEN via an Information Disclosure vulnerability in the x-asen response header from Atlassian Analytics.

            The affected versions are before version 4.8.4.

            *Affected versions:*

             * version < 4.8.4

            *Fixed versions:*

             * 4.8.4
            AB made changes -
            Labels Original: advisory cvss-medium security New: advisory cve-in-progress cvss-medium security
            AB made changes -
            Component/s New: Runtime platform [ 12765 ]
            Component/s Original: Runtime platform [ 53892 ]
            Fix Version/s New: 4.8.4 [ 92201 ]
            Fix Version/s Original: 4.8.4 [ 92202 ]
            Key Original: FE-7335 New: CRUC-8502
            Affects Version/s New: 4.8.3 [ 92111 ]
            Affects Version/s Original: 4.8.3 [ 91929 ]
            Project Original: FishEye [ 11830 ] New: Crucible [ 11771 ]

            AB added a comment - - edited

            This is an independent assessment and you should evaluate its applicability to your own IT environment.

            CVSS v3 score: 4.3 => Medium severity

            Exploitability Metrics

            Attack Vector Network
            Attack Complexity Low
            Privileges Required Low
            User Interaction None

            Scope Metric

            Scope Unchanged

            Impact Metrics

            Confidentiality Low
            Integrity None
            Availability None

            https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

            AB added a comment - - edited This is an independent assessment and you should evaluate its applicability to your own IT environment. CVSS v3 score: 4.3 => Medium severity Exploitability Metrics Attack Vector Network Attack Complexity Low Privileges Required Low User Interaction None Scope Metric Scope Unchanged Impact Metrics Confidentiality Low Integrity None Availability None https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

              Unassigned Unassigned
              ablack@atlassian.com AB
              Affected customers:
              0 This affects my team
              Watchers:
              0 Start watching this issue

                Created:
                Updated:
                Resolved: