Loading...

XML

Word

Printable

Details

Type: Bug
Resolution: Fixed
Priority: Low
Fix Version/s: 8.17.0, 8.5.15, 8.13.7
Affects Version/s: 5.0
Component/s: Project Administration - Components
Labels:

Fixed in Long Term Support Release/s:

Download 8.5
Introduced in Version:
5
Support reference count:
17
Symptom Severity:
Severity 3 - Minor
UIS:
17
Bug Fix Policy:
View Atlassian Server bug fix policy

Description

Affected versions of Atlassian Jira Server and Data Center allow an unauthenticated user to enumerate users via an Information Disclosure vulnerability in the QueryComponentRendererValue!Default.jspa endpoint.

This vulnerability was discovered by Mikhail Klyuchnikov of Positive Technologies.

The affected versions are before version 8.5.13, from version 8.6.0 before 8.13.5, and from version 8.14.0 before 8.15.1.

Affected versions:

version < 8.5.15
8.6.0 ≤ version < 8.13.7
8.14.0 ≤ version < 8.17.0

Fixed versions:

8.5.15
8.13.7
8.17.0

Note: this issue may also affect patched Jira instances if anonymous user access is enabled. For more information, refer to Atlassian's documentation on controlling anonymous user access.

Attachments

Issue Links

was cloned as

JRASERVER-72531 8.16 - User Enumeration via /QueryComponentRendererValue!Default.jspa endpoint - CVE-2020-36289

Closed

is detailed by: VULN-164856 Loading...

relates to: VULN-549089 Loading...

Activity

People

Assignee:: Unassigned

Reporter:: AB

Votes:: 1 Vote for this issue

Watchers:: 17 Start watching this issue

Dates

Created:: 16/Sep/2020 3:08 AM

Updated:: 23/Nov/2023 12:24 PM

Resolved:: 10/Nov/2021 2:32 PM