[JRASERVER-71498] Project enumeration through /browse.PROJECTKEY - CVE-2020-14178 - Create and track feature requests for Atlassian products.

Type: Bug
Resolution: Fixed
Priority: Low (View bug fix roadmap)
Fix Version/s: 8.12.0, 8.5.8, 7.13.17, 8.13.0
Affects Version/s: 7.13.9, 8.8.0, 8.8.1
Component/s: System Administration - General Configuration
Labels:

Fixed in Long Term Support Release/s:

Download 7.13, 8.5
Introduced in Version:
7.13
Symptom Severity:
Severity 3 - Minor
Bug Fix Policy:
View Atlassian Server bug fix policy

Affected versions of Atlassian Jira Server and Data Center allow remote attackers to enumerate project keys via an Information Disclosure vulnerability in the /browse.PROJECTKEY endpoint.

Affected versions:

version < 7.13.17
7.14.0 ≤ version < 8.5.8
8.6.0 ≤ version < 8.12.0

Fixed versions:

7.13.17
8.5.8
8.12.0
8.13.0

mentioned in: Page Failed to load; Page Failed to load; Page Failed to load

Security Metrics Bot added a comment - 31/Aug/2020 9:25 PM

This is an independent assessment and you should evaluate its applicability to your own IT environment.
CVSS v3 score: 5.3 => Medium severity

Exploitability Metrics

Attack Vector	Network
Attack Complexity	Low
Privileges Required	None
User Interaction	None

Scope Metric

Scope	Unchanged

Impact Metrics

Confidentiality	Low
Integrity	None
Availability	None

https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Security Metrics Bot added a comment - 31/Aug/2020 9:25 PM This is an independent assessment and you should evaluate its applicability to your own IT environment. CVSS v3 score: 5.3 => Medium severity Exploitability Metrics Attack Vector Network Attack Complexity Low Privileges Required None User Interaction None Scope Metric Scope Unchanged Impact Metrics Confidentiality Low Integrity None Availability None https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Assignee:: Unassigned

Reporter:: Security Metrics Bot

Affected customers:: 0 This affects my team

Watchers:: 2 Start watching this issue

Created:: 31/Aug/2020 9:25 PM

Updated:: 17/Nov/2022 6:50 PM

Resolved:: 01/Sep/2020 4:29 AM

Jira Data Center

Details

Description

Attachments

Issue Links

Forms

Activity

[JRASERVER-71498] Project enumeration through /browse.PROJECTKEY - CVE-2020-14178

Collapse comment: Security Metrics Bot added a comment - 31/Aug/2020 9:25 PM

Expand comment: Security Metrics Bot added a comment - 31/Aug/2020 9:25 PM

People

Dates