Uploaded image for project: 'Jira Data Center'
  1. Jira Data Center
  2. JRASERVER-70565

Information disclosure of project key existence vulnerability in Jira - CVE-2019-20403

XMLWordPrintable

      The API in Atlassian Jira Server and Data Center before version 8.6.0 allows remote attackers to determine if a Jira project key exists or not via an information disclosure vulnerability.

            [JRASERVER-70565] Information disclosure of project key existence vulnerability in Jira - CVE-2019-20403

            Priya Varghese added a comment -

            Hello,

            Thank you so much for your comments on this issue. We value your feedback.
            We’re doing further research on the usage of the Jira Import Tool (also known as Jira Importers Plug-in / CSV Import / Trello Import), and we’d like to invite you to take part in an upcoming customer research study.
             
            What’s involved in the research: * We’ll schedule a 1-hour session at a time that’s convenient for you. The session will be conducted over video-conference, so you can participate from anywhere around the globe.

            • During the research, we'll start with a general chat to get to know you, and then we’d like to hear about how you use the Jira Import Tool for your tasks, and any feedback you have about the tool.
            • As a token of our appreciation, you'll receive an e-gift card worth $100 within 5 days of completing your session.

             
            If you're interested in taking part, please contact me on pvarghese@atlassian.com to schedule a time that works for you.
            If you have any other questions at all, feel free to reply to this message or email me directly on pvarghese@atlassian.com
            We look forward to meeting you!
             
            Cheers,
            Priya Varghese
            (Migrations Experience Design Team)

            Priya Varghese added a comment - Hello, Thank you so much for your comments on this issue. We value your feedback. We’re doing further research on the usage of the Jira Import Tool (also known as Jira Importers Plug-in / CSV Import / Trello Import), and we’d like to invite you to take part in an upcoming customer research study.   What’s involved in the research: * We’ll schedule a 1-hour session at a time that’s convenient for you. The session will be conducted over video-conference, so you can participate from anywhere around the globe. During the research, we'll start with a general chat to get to know you, and then we’d like to hear about how you use the Jira Import Tool for your tasks, and any feedback you have about the tool. As a token of our appreciation, you'll receive an e-gift card worth $100 within 5 days of completing your session.   If you're interested in taking part, please contact me on  pvarghese@atlassian.com  to schedule a time that works for you. If you have any other questions at all, feel free to reply to this message or email me directly on  pvarghese@atlassian.com We look forward to meeting you!   Cheers, Priya Varghese (Migrations Experience Design Team)

            Bl Ldd added a comment -

            Is there any advisory on how to reproduce this issue?

            Bl Ldd added a comment - Is there any advisory on how to reproduce this issue?

            Deleted Account (Inactive) added a comment -

            I see now that the enterprise releases might only receive fixes for critical severity issues. 

            Deleted Account (Inactive) added a comment - I see now that the enterprise releases might only receive fixes for critical severity issues. 

            Deleted Account (Inactive) added a comment - - edited

            Why is this closed without a fix for enterprise version 7.13.x?

            Deleted Account (Inactive) added a comment - - edited Why is this closed without a fix for enterprise version 7.13.x?

            Maxime Lemanissier added a comment -

            is it planned to backport this fix in enterprise release 8.5?

            Maxime Lemanissier added a comment - is it planned to backport this fix in enterprise release 8.5?

            Mateusz Marzęcki added a comment -

            Hi 3f81e0371c86,

            thanks for reaching out to us, the fix is available in 8.6.0 and further releases. 

            Greetings.

            Mateusz Marzęcki added a comment - Hi 3f81e0371c86 , thanks for reaching out to us, the fix is available in 8.6.0 and further releases.  Greetings.

            BC Readonly added a comment -

            Hi, is it also fixed in v8.6.1 or just in 8.6.0?

            BC Readonly added a comment - Hi, is it also fixed in v8.6.1 or just in 8.6.0?

            Security Metrics Bot added a comment -

            This is an independent assessment and you should evaluate its applicability to your own IT environment.
            CVSS v3 score: 5.4 => Medium severity

            Exploitability Metrics

            Attack Vector Network
            Attack Complexity Low
            Privileges Required None
            User Interaction Required

            Scope Metric

            Scope Unchanged

            Impact Metrics

            Confidentiality Low
            Integrity Low
            Availability None

            https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

            Security Metrics Bot added a comment - This is an independent assessment and you should evaluate its applicability to your own IT environment. CVSS v3 score: 5.4 => Medium severity Exploitability Metrics Attack Vector Network Attack Complexity Low Privileges Required None User Interaction Required Scope Metric Scope Unchanged Impact Metrics Confidentiality Low Integrity Low Availability None https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

              Unassigned Unassigned
              security-metrics-bot Security Metrics Bot
              Affected customers:
              0 This affects my team
              Watchers:
              9 Start watching this issue

                Created:
                Updated:
                Resolved: