Uploaded image for project: 'Jira Data Center'
  1. Jira Data Center
  2. JRASERVER-71275

IDOR Disclosure of Private Project Titles - CVE-2020-14174

XMLWordPrintable

      Affected versions of Atlassian Jira Server and Data Center allow remote attackers to view titles of a private project via an Insecure Direct Object References (IDOR) vulnerability in the Administration Permission Helper.

      Affected versions:

      • version < 7.13.16
      • 8.0.0 ≤ version < 8.5.7
      • 8.6.0 ≤ version < 8.9.2
      • 8.10.0 ≤ version < 8.10.1

      Fixed versions:

      • 7.13.16
      • 8.5.7
      • 8.9.2
      • 8.10.1
      • 8.11.0

            [JRASERVER-71275] IDOR Disclosure of Private Project Titles - CVE-2020-14174

            skavatekar made changes -
            Link New: This issue was cloned as JRASERVER-73811 [ JRASERVER-73811 ]
            David Black made changes -
            Labels Original: advisory advisory-to-release bugbounty cve-2020-14174 cvss-low idor monsters security New: advisory advisory-released bugbounty cve-2020-14174 cvss-low idor monsters security
            Mark Lang made changes -
            Remote Link New: This issue links to "Page (Confluence)" [ 509304 ]
            Mark Lang made changes -
            Remote Link New: This issue links to "Page (Confluence)" [ 500273 ]

            Russell Berry added a comment -

            I don't see the 8.9.2 version on the download page. Should I not wait for it? I notice that 8.5.7 is also missing.

            Qualys will also be flagging the older versions for which the promised fix version are still missing.

            The release notes for 8.9  and 8.5 do not mention this bug as fixed.

            Russell Berry added a comment - I don't see the 8.9.2 version on the download page . Should I not wait for it? I notice that 8.5.7 is also missing. Qualys will also be flagging the older versions for which the promised fix version are still missing. The release notes for 8.9   and 8.5 do not mention this bug as fixed.

            Andrew Borntreger added a comment -

            This lists the required version for 8.0 as 8.5.7 or greater.  However, the latest version of the LTSR is 8.5.6.  I cannot find 8.5.7.

             

            Tenable is basing their plugin to detect the vulnerability as requiring 8.5.7 or greater, which appears to be incorrect upon what I can find for available versions.

            Andrew Borntreger added a comment - This lists the required version for 8.0 as 8.5.7 or greater.  However, the latest version of the LTSR is 8.5.6.  I cannot find 8.5.7.   Tenable is basing their plugin to detect the vulnerability as requiring 8.5.7 or greater, which appears to be incorrect upon what I can find for available versions.

            Niranjan added a comment -

            Hi ,

            Do we have any workarounds for 8.3.4?

            Regards

            Niran

            Niranjan added a comment - Hi , Do we have any workarounds for 8.3.4? Regards Niran
            Ignat (Inactive) made changes -
            Status Original: Closed [ 6 ] New: Closed [ 6 ]

            Jeff Santos added a comment -

            This bug is Closed, however, we don't have yet the any of the fixed versions?

            Is that so?

            Jeff Santos added a comment - This bug is Closed, however, we don't have yet the any of the fixed versions? Is that so?
            AB made changes -
            Security Original: Atlassian Staff [ 10750 ]

              Unassigned Unassigned
              security-metrics-bot Security Metrics Bot
              Affected customers:
              0 This affects my team
              Watchers:
              6 Start watching this issue

                Created:
                Updated:
                Resolved: