• Type: Bug
• Resolution: Fixed
• Priority: Low (View bug fix roadmap)
• Fix Version/s: 8.4.2, 7.13.9, 8.5.0
• Affects Version/s: 8.3.0, 7.13.5
• Component/s: Issue - Actions, Issue - Sub-Tasks
• Labels:

  • advisory
  • advisory-released
  • cve-2019-20412
  • cvss-high
  • information-disclosure
  • security

[JRASERVER-70882] Improper authentication on Convert Sub-Task to Issue page - CVE-2019-20412

David Black made changes - 01/Jul/2020 12:41 AM

Labels

Original: advisory advisory-to-release cve-2019-20412 cvss-high information-disclosure security

New: advisory advisory-released cve-2019-20412 cvss-high information-disclosure security

AB made changes - 29/Jun/2020 5:49 AM

Summary

Original: Improper authentication on Convert Sub-Task to Issue page

New: Improper authentication on Convert Sub-Task to Issue page - CVE-2019-20412

AB made changes - 29/Jun/2020 5:49 AM

Labels

Original: advisory advisory-to-release cve-in-progress cvss-high information-disclosure security

New: advisory advisory-to-release cve-2019-20412 cvss-high information-disclosure security

AB made changes - 29/Jun/2020 5:17 AM

Labels

Original: advisory advisory-to-release cvss-high information-disclosure security

New: advisory advisory-to-release cve-in-progress cvss-high information-disclosure security

set-jac-bot made changes - 22/May/2020 8:25 AM

Fixed in Enterprise Release/s

New: [Download 7.13, 8.5|https://confluence.atlassian.com/enterprise/atlassian-enterprise-releases-948227420.html]

AB made changes - 28/Apr/2020 5:15 AM

Description

Original: The Convert Sub-Task to Issue page in affected versions of Atlassian Jira Server and Data Center allow remote attackers to enumerate the following information via an Improper Authentication vulnerability:  * Workflow names  * Project Key, if it is part of the workflow name  * Issue Keys  * Issue Types  * Status Types *Affected versions:*  * version < 7.13.9  * 8.0.0 ≤ version < 8.4.2 *Fixed versions:*  * 7.13.9  * 8.4.2  * 8.5.0

New: The Convert Sub-Task to Issue page in affected versions of Atlassian Jira Server and Data Center allow remote attackers to enumerate the following information via an Improper Authentication vulnerability:  * Workflow names  * Project Key, if it is part of the workflow name  * Issue Keys  * Issue Types  * Status Types *Affected versions:*  * version < 7.13.9  * 7.14.0 ≤ version < 8.4.2 *Fixed versions:*  * 7.13.9  * 8.4.2  * 8.5.0

Bugfix Automation Bot made changes - 08/Apr/2020 3:30 AM

Introduced in Version

New: 7.13

AB made changes - 08/Apr/2020 3:11 AM

Security

Original: Atlassian Staff [ 10750 ]

AB made changes - 08/Apr/2020 3:10 AM

Resolution		New: Fixed [ 1 ]
Status	Original: Needs Triage [ 10030 ]	New: Closed [ 6 ]

AB made changes - 08/Apr/2020 3:10 AM

Description

Original: Component in Atlassian Jira Server and Data Center from version 7.13.5 before version 7.13.9, from version 8.3.0 before version 8.4.2 and before version 8.5.0 allows remote attackers to IMPACT via a VULN_INFO.

New: The Convert Sub-Task to Issue page in affected versions of Atlassian Jira Server and Data Center allow remote attackers to enumerate the following information via an Improper Authentication vulnerability:  * Workflow names  * Project Key, if it is part of the workflow name  * Issue Keys  * Issue Types  * Status Types *Affected versions:*  * version < 7.13.9  * 8.0.0 ≤ version < 8.4.2 *Fixed versions:*  * 7.13.9  * 8.4.2  * 8.5.0

Load more older events