[FE-7299] The bundled version of Atlassian Navigator Links contained an incorrect authorization check - CVE-2020-4026 - Create and track feature requests for Atlassian products.

Type: Bug
Resolution: Fixed
Priority: Medium
Fix Version/s: 4.8.2
Affects Version/s: 4.8.1
Component/s: Integrations
Labels:

Symptom Severity:
Severity 2 - Major
Bug Fix Policy:
View Atlassian Server bug fix policy

The bundled version of Atlassian Navigator Links plugin in Atlassian Fisheye before version 4.8.2 allows remote attackers to enumerate all linked applications, including those that are restricted or otherwise hidden, through an incorrect authorization check. Additional details about the issue in the Atlassian Navigator Links plugin can be found below.

The CustomAppsRestResource list resource in Atlassian Navigator Links before version 3.3.23, from version 4.0.0 before version 4.3.7, from version 5.0.0 before 5.0.1, and from version 5.1.0 before 5.1.1 allows remote attackers to enumerate all linked applications, including those that are restricted or otherwise hidden, through an incorrect authorization check.

is related to

CRUC-8485 The bundled version of Atlassian Navigator Links contained an incorrect authorization check - CVE-2020-4026

Closed

Marek Parfianowicz made changes - 09/Nov/2023 9:44 AM

Labels

Original: CVE-2020-4026 advisory advisory-released cvss-medium release-48x release-490 security vulnerable-components

New: CVE-2020-4026 advisory advisory-released cvss-medium release-48x security vulnerable-components

Marek Parfianowicz made changes - 09/Nov/2023 9:43 AM

Labels

Original: CVE-2020-4026 advisory advisory-released cvss-medium release-490 security vulnerable-components

New: CVE-2020-4026 advisory advisory-released cvss-medium release-48x release-490 security vulnerable-components

Marek Parfianowicz made changes - 09/May/2023 5:48 PM

Labels

Original: CVE-2020-4026 advisory advisory-released cvss-medium security vulnerable-components

New: CVE-2020-4026 advisory advisory-released cvss-medium release-490 security vulnerable-components

Marek Parfianowicz made changes - 16/Mar/2021 11:17 AM

Fix Version/s

Original: 4.9.0 [ 90694 ]

David Black made changes - 02/Jun/2020 11:33 PM

Link

New: This issue is related to ~~CRUC-8485~~ [ ~~CRUC-8485~~ ]

David Black made changes - 02/Jun/2020 11:33 PM

Link

Original: This issue was cloned as ~~CRUC-8485~~ [ ~~CRUC-8485~~ ]

David Black made changes - 02/Jun/2020 11:32 PM

Labels

Original: CVE-2020-4026 advisory advisory-to-release cvss-medium security vulnerable-components

New: CVE-2020-4026 advisory advisory-released cvss-medium security vulnerable-components

David Black made changes - 02/Jun/2020 11:32 PM

Security

Original: Reporter and Atlassian Staff [ 10751 ]

David Black made changes - 02/Jun/2020 6:20 AM

Comment

[ A comment with security level 'atlassian-staff' was removed. ]

David Black made changes - 02/Jun/2020 6:19 AM

Link

New: This issue was cloned as ~~FE-7300~~ [ ~~FE-7300~~ ]

Assignee:: Unassigned

Reporter:: Security Metrics Bot

Affected customers:: 0 This affects my team

Watchers:: 1 Start watching this issue

Created:: 02/Jun/2020 5:55 AM

Updated:: 09/Nov/2023 9:44 AM

Resolved:: 02/Jun/2020 6:15 AM

Details

Description

Attachments

Issue Links

Forms

Activity

[FE-7299] The bundled version of Atlassian Navigator Links contained an incorrect authorization check - CVE-2020-4026

People

Dates