Uploaded image for project: 'Jira Data Center'
  1. Jira Data Center
  2. JRASERVER-69246

Information disclosure in the BrowseProjects.jspa resource - CVE-2019-3399

      The BrowseProjects.jspa resource in Jira before version 7.13.2, and from version 8.0.0 before version 8.0.2 allows remote attackers to see information for archived projects through a missing authorisation check.

            [JRASERVER-69246] Information disclosure in the BrowseProjects.jspa resource - CVE-2019-3399

            Hi security+atlassian1282683442,
            As per the cvss score above authentication is not required.

            David Black added a comment - Hi security+atlassian1282683442 , As per the cvss score above authentication is not required.

            Hi,
            Can anyone confirm if this vulnerability can be exploited by non authenticated users?
            Thank you.

            Kind regards,
            Rodolfo

            Security Team at Clearvision added a comment - Hi, Can anyone confirm if this vulnerability can be exploited by non authenticated users? Thank you. Kind regards, Rodolfo

            This is an independent assessment and you should evaluate its applicability to your own IT environment.
            CVSS v3 score: 7.5 => High severity

            Exploitability Metrics

            Attack Vector Network
            Attack Complexity Low
            Privileges Required None
            User Interaction None

            Scope Metric

            Scope Unchanged

            Impact Metrics

            Confidentiality High
            Integrity None
            Availability None

            https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

            Security Metrics Bot added a comment - This is an independent assessment and you should evaluate its applicability to your own IT environment. CVSS v3 score: 7.5 => High severity Exploitability Metrics Attack Vector Network Attack Complexity Low Privileges Required None User Interaction None Scope Metric Scope Unchanged Impact Metrics Confidentiality High Integrity None Availability None https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

              Unassigned Unassigned
              security-metrics-bot Security Metrics Bot
              Affected customers:
              0 This affects my team
              Watchers:
              6 Start watching this issue

                Created:
                Updated:
                Resolved: