[JRASERVER-69246] Information disclosure in the BrowseProjects.jspa resource - CVE-2019-3399 - Create and track feature requests for Atlassian products.

Type: Bug
Resolution: Fixed
Priority: Low (View bug fix roadmap)
Fix Version/s: 8.1.0, 7.13.2, 8.0.2
Affects Version/s: 7.12.0, 7.13.0, 7.13.1
Component/s: Data Center - Archiving, Project - Actions
Labels:

Fixed in Long Term Support Release/s:

Download 7.13
Introduced in Version:
7.12
Symptom Severity:
Severity 2 - Major
Bug Fix Policy:
View Atlassian Server bug fix policy

The BrowseProjects.jspa resource in Jira before version 7.13.2, and from version 8.0.0 before version 8.0.2 allows remote attackers to see information for archived projects through a missing authorisation check.

mentioned in: Page Failed to load

set-jac-bot made changes - 22/May/2020 8:26 AM

Fixed in Enterprise Release/s

New: [Download 7.13|https://confluence.atlassian.com/enterprise/atlassian-enterprise-releases-948227420.html]

Said made changes - 06/Dec/2019 3:47 AM

Labels

Original: CVE-2019-3399 advisory advisory-released cvss-high security

New: CVE-2019-3399 advisory advisory-released cvss-high information-disclosure security

Clement made changes - 09/Aug/2019 12:55 AM

Remote Link

New: This issue links to "Page (Confluence)" [ 442444 ]

David Black added a comment - 30/Apr/2019 9:47 PM

Hi security+atlassian1282683442,
As per the cvss score above authentication is not required.

David Black added a comment - 30/Apr/2019 9:47 PM Hi security+atlassian1282683442 , As per the cvss score above authentication is not required.

Security Team at Clearvision added a comment - 30/Apr/2019 9:20 AM

Hi,
Can anyone confirm if this vulnerability can be exploited by non authenticated users?
Thank you.

Kind regards,
Rodolfo

Security Team at Clearvision added a comment - 30/Apr/2019 9:20 AM Hi, Can anyone confirm if this vulnerability can be exploited by non authenticated users? Thank you. Kind regards, Rodolfo

David Black made changes - 29/Apr/2019 4:40 AM

Security

Original: Reporter and Atlassian Staff [ 10751 ]

David Black made changes - 29/Apr/2019 4:40 AM

Security

New: Reporter and Atlassian Staff [ 10751 ]

David Black made changes - 29/Apr/2019 4:39 AM

Labels

Original: CVE-2019-3399 advisory advisory-to-release cvss-high security

New: CVE-2019-3399 advisory advisory-released cvss-high security

David Black made changes - 29/Apr/2019 4:31 AM

Labels

Original: advisory advisory-to-release cvss-high security

New: CVE-2019-3399 advisory advisory-to-release cvss-high security

David Black made changes - 29/Apr/2019 4:31 AM

Summary

Original: Information disclosure in the BrowseProjects.jspa resource - CVE-2019-3399.

New: Information disclosure in the BrowseProjects.jspa resource - CVE-2019-3399

Assignee:: Unassigned

Reporter:: Security Metrics Bot

Affected customers:: 0 This affects my team

Watchers:: 6 Start watching this issue

Created:: 29/Apr/2019 4:15 AM

Updated:: 22/May/2020 8:26 AM

Resolved:: 29/Apr/2019 4:19 AM

Jira Data Center

Details

Description

Attachments

Issue Links

Forms

Activity

[JRASERVER-69246] Information disclosure in the BrowseProjects.jspa resource - CVE-2019-3399

Collapse comment: David Black added a comment - 30/Apr/2019 9:47 PM

Expand comment: David Black added a comment - 30/Apr/2019 9:47 PM

Collapse comment: Security Team at Clearvision added a comment - 30/Apr/2019 9:20 AM

Expand comment: Security Team at Clearvision added a comment - 30/Apr/2019 9:20 AM

People

Dates