Uploaded image for project: 'Jira Data Center'
  1. Jira Data Center
  2. JRASERVER-71560

User Enumeration via /ViewUserHover.jspa - CVE-2020-14181

      Affected versions of Atlassian Jira Server and Data Center allow an unauthenticated user to enumerate users via an Information Disclosure vulnerability in the /ViewUserHover.jspa endpoint.

      This vulnerability was discovered by Mikhail Klyuchnikov of Positive Technologies.

      Affected versions:

      • version < 7.13.16
      • 8.0.0 ≤ version < 8.5.7
      • 8.6.0 ≤ version < 8.12.0

      Fixed versions:

      • 7.13.16
      • 8.5.7
      • 8.12.0

            [JRASERVER-71560] User Enumeration via /ViewUserHover.jspa - CVE-2020-14181

            Hi Team,

             

            This issue still exists in 9.12.1. I have tested and attached the screenshot for reference.

             

            Thanks

            Swesh InfoSec added a comment - Hi Team,   This issue still exists in 9.12.1. I have tested and attached the screenshot for reference.   Thanks

            . added a comment -

            Workaround via url rewrites in JRASERVER-71536

            . added a comment - Workaround via url rewrites in  JRASERVER-71536

            Just curious it was regression of JRASERVER-44644 ?

            Gonchik Tsymzhitov added a comment - Just curious it was regression of JRASERVER-44644 ?

            Is there any workaround for this vulnerability ?

            Naman Mandli added a comment - Is there any workaround for this vulnerability ?

            AB added a comment -

            CVSS v3 score: 5.3 => Medium severity

            Exploitability Metrics

            Attack Vector Network
            Attack Complexity Low
            Privileges Required None
            User Interaction None

            Scope Metric

            Scope Unchanged

            Impact Metrics

            Confidentiality Low
            Integrity None
            Availability None

            See http://go.atlassian.com/cvss for more details.

            https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

            AB added a comment - CVSS v3 score: 5.3 => Medium severity Exploitability Metrics Attack Vector Network Attack Complexity Low Privileges Required None User Interaction None Scope Metric Scope Unchanged Impact Metrics Confidentiality Low Integrity None Availability None See http://go.atlassian.com/cvss for more details. https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

              Unassigned Unassigned
              ablack@atlassian.com AB
              Affected customers:
              0 This affects my team
              Watchers:
              16 Start watching this issue

                Created:
                Updated:
                Resolved: