[%22,] The bundled version of Atlassian Navigator Links contained an incorrect authorization check - CVE-2020-4026 - Create and track feature requests for Atlassian products.

Type: Bug
Resolution: Fixed
Priority: Medium
Fix Version/s: 4.8.2
Affects Version/s: 4.8.1
Component/s: Integrations
Labels:

Symptom Severity:
Severity 2 - Major
Bug Fix Policy:
View Atlassian Server bug fix policy

The bundled version of Atlassian Navigator Links plugin in Atlassian Fisheye before version 4.8.2 allows remote attackers to enumerate all linked applications, including those that are restricted or otherwise hidden, through an incorrect authorization check. Additional details about the issue in the Atlassian Navigator Links plugin can be found below.

The CustomAppsRestResource list resource in Atlassian Navigator Links before version 3.3.23, from version 4.0.0 before version 4.3.7, from version 5.0.0 before 5.0.1, and from version 5.1.0 before 5.1.1 allows remote attackers to enumerate all linked applications, including those that are restricted or otherwise hidden, through an incorrect authorization check.

is related to

CRUC-8485 The bundled version of Atlassian Navigator Links contained an incorrect authorization check - CVE-2020-4026

Closed

Security Metrics Bot added a comment - 02/Jun/2020 5:55 AM

This is an independent assessment and you should evaluate its applicability to your own IT environment.
CVSS v3 score: 4.3 => Medium severity

Exploitability Metrics

Attack Vector	Network
Attack Complexity	Low
Privileges Required	Low
User Interaction	None

Scope Metric

Scope	Unchanged

Impact Metrics

Confidentiality	Low
Integrity	None
Availability	None

https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Security Metrics Bot added a comment - 02/Jun/2020 5:55 AM This is an independent assessment and you should evaluate its applicability to your own IT environment. CVSS v3 score: 4.3 => Medium severity Exploitability Metrics Attack Vector Network Attack Complexity Low Privileges Required Low User Interaction None Scope Metric Scope Unchanged Impact Metrics Confidentiality Low Integrity None Availability None https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Assignee:: Unassigned

Reporter:: Security Metrics Bot

Affected customers:: 0 This affects my team

Watchers:: 1 Start watching this issue

Created:: 02/Jun/2020 5:55 AM

Updated:: 09/Nov/2023 9:44 AM

Resolved:: 02/Jun/2020 6:15 AM

Details

Description

Attachments

Issue Links

Forms

Activity

[FE-7299] The bundled version of Atlassian Navigator Links contained an incorrect authorization check - CVE-2020-4026

Collapse comment: Security Metrics Bot added a comment - 02/Jun/2020 5:55 AM

Expand comment: Security Metrics Bot added a comment - 02/Jun/2020 5:55 AM

People

Dates