[JRASERVER-70926] Improper authorization on /rest/project-templates/1.0/createshared endpoint - CVE-2020-4029 - Create and track feature requests for Atlassian products.

Type: Bug
Resolution: Fixed
Priority: Low (View bug fix roadmap)
Fix Version/s: 8.7.2, 8.5.5, 8.9.0, 8.8.1
Affects Version/s: 7.13.1, 8.7.0, 8.6.1, 8.5.4, 8.8.0, 8.7.1
Component/s: REST API
Labels:

Fixed in Long Term Support Release/s:

Download 8.5
Introduced in Version:
7.13
Symptom Severity:
Severity 2 - Major
Bug Fix Policy:
View Atlassian Server bug fix policy

Affected versions of Atlassian Jira Server and Data Center allow remote attackers to enumerate project names via an improper authorization vulnerability in the /rest/project-templates/1.0/createshared endpoint API endpoint.

Affected versions:

version < 8.5.5
8.6.0 ≤ version < 8.7.2
8.8.0 ≤ version < 8.8.1

Fixed versions:

8.5.5
8.7.2
8.8.1
8.9.0

mentioned in: Page Failed to load; Page Failed to load

relates to: VULN-616389 Failed to load

Security Metrics Bot added a comment - 20/Apr/2020 6:02 AM

This is an independent assessment and you should evaluate its applicability to your own IT environment.
CVSS v3 score: 4.3 => Medium severity

Exploitability Metrics

Attack Vector	Network
Attack Complexity	Low
Privileges Required	Low
User Interaction	None

Scope Metric

Scope	Unchanged

Impact Metrics

Confidentiality	Low
Integrity	None
Availability	None

https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Security Metrics Bot added a comment - 20/Apr/2020 6:02 AM This is an independent assessment and you should evaluate its applicability to your own IT environment. CVSS v3 score: 4.3 => Medium severity Exploitability Metrics Attack Vector Network Attack Complexity Low Privileges Required Low User Interaction None Scope Metric Scope Unchanged Impact Metrics Confidentiality Low Integrity None Availability None https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Assignee:: Unassigned

Reporter:: Security Metrics Bot

Affected customers:: 0 This affects my team

Watchers:: 1 Start watching this issue

Created:: 20/Apr/2020 6:02 AM

Updated:: 03/Nov/2021 6:02 AM

Resolved:: 20/Apr/2020 6:06 AM

Jira Data Center

Details

Description

Attachments

Issue Links

Forms

Activity

[JRASERVER-70926] Improper authorization on /rest/project-templates/1.0/createshared endpoint - CVE-2020-4029

Collapse comment: Security Metrics Bot added a comment - 20/Apr/2020 6:02 AM

Expand comment: Security Metrics Bot added a comment - 20/Apr/2020 6:02 AM

People

Dates