-
Bug
-
Resolution: Fixed
-
Low (View bug fix roadmap)
-
8.0.0, 7.6.15, 8.7.1
-
7.06
-
Severity 2 - Major
-
Affected versions of Atlassian Jira Server and Data Center allow remote attackers to view titles of a private project via an Insecure Direct Object References (IDOR) vulnerability in the Administration Permission Helper.
Affected versions:
- version < 7.13.16
- 8.0.0 ≤ version < 8.5.7
- 8.6.0 ≤ version < 8.9.2
- 8.10.0 ≤ version < 8.10.1
Fixed versions:
- 7.13.16
- 8.5.7
- 8.9.2
- 8.10.1
- 8.11.0
- was cloned as
-
-
- Closed
-
[JRASERVER-71275] IDOR Disclosure of Private Project Titles - CVE-2020-14174
This lists the required version for 8.0 as 8.5.7 or greater. However, the latest version of the LTSR is 8.5.6. I cannot find 8.5.7.
Tenable is basing their plugin to detect the vulnerability as requiring 8.5.7 or greater, which appears to be incorrect upon what I can find for available versions.
This bug is Closed, however, we don't have yet the any of the fixed versions?
Is that so?
This is an independent assessment and you should evaluate its applicability to your own IT environment.
CVSS v3 score: 3.5 => Low severity
Exploitability Metrics
| Attack Vector | Network |
|---|---|
| Attack Complexity | Low |
| Privileges Required | Low |
| User Interaction | Required |
Scope Metric
| Scope | Unchanged |
|---|
Impact Metrics
| Confidentiality | Low |
|---|---|
| Integrity | None |
| Availability | None |
https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N
I don't see the 8.9.2 version on the download page. Should I not wait for it? I notice that 8.5.7 is also missing.
Qualys will also be flagging the older versions for which the promised fix version are still missing.
The release notes for 8.9 and 8.5 do not mention this bug as fixed.