[JRASERVER-70543] Jira Server Comment Permissions Broken Access Control Bug - CVE-2019-20106 - Create and track feature requests for Atlassian products.

XML

Word

Printable

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Low
Resolution: Fixed
Affects Version/s: 8.4.1
Fix Version/s: 7.13.12, 8.7.0, 8.6.1, 8.5.4
Component/s: Issue - Comments
Labels:

Fixed in Long Term Support Release/s:

Download 7.13, 8.5
Introduced in Version:
8.04
Support reference count:
1
Symptom Severity:
Severity 2 - Major
Bug Fix Policy:
View Atlassian Server bug fix policy

Description

Comment properties in Atlassian Jira Server and Data Center before version 7.13.12, from 8.0.0 before version 8.5.4, and 8.6.0 before version 8.6.1 allows remote attackers to make comments on a ticket to which they do not have commenting permissions via a broken access control bug.

Attachments

Issue Links

mentioned in: Page Loading...; Page Loading...

Activity

People

Assignee:: Daniel Ramotowski

Reporter:: Colin Xu

Votes:: 1 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Due:: 24/Mar/2020

Created:: 28/Jan/2020 3:52 AM

Updated:: 15/Sep/2020 3:18 PM

Resolved:: 03/Feb/2020 10:46 AM