[JRASERVER-71560] User Enumeration via /ViewUserHover.jspa - CVE-2020-14181 - Create and track feature requests for Atlassian products.

Type: Bug
Resolution: Fixed
Priority: Low (View bug fix roadmap)
Fix Version/s: 8.12.0, 7.13.16, 8.5.7
Affects Version/s: 5.0
Component/s: Project Administration - Components
Labels:

Fixed in Long Term Support Release/s:

Download 7.13, 8.5
Introduced in Version:
5
Symptom Severity:
Severity 3 - Minor
Bug Fix Policy:
View Atlassian Server bug fix policy

Affected versions of Atlassian Jira Server and Data Center allow an unauthenticated user to enumerate users via an Information Disclosure vulnerability in the /ViewUserHover.jspa endpoint.

This vulnerability was discovered by Mikhail Klyuchnikov of Positive Technologies.

Affected versions:

version < 7.13.16
8.0.0 ≤ version < 8.5.7
8.6.0 ≤ version < 8.12.0

Fixed versions:

7.13.16
8.5.7
8.12.0

is detailed by: VULN-164855 Failed to load

Swesh InfoSec added a comment - 10/Jan/2024 4:09 AM

Hi Team,

This issue still exists in 9.12.1. I have tested and attached the screenshot for reference.

Thanks

Swesh InfoSec added a comment - 10/Jan/2024 4:09 AM Hi Team, This issue still exists in 9.12.1. I have tested and attached the screenshot for reference. Thanks

. added a comment - 24/Mar/2021 12:57 PM

Workaround via url rewrites in ~~JRASERVER-71536~~

. added a comment - 24/Mar/2021 12:57 PM Workaround via url rewrites in JRASERVER-71536

Gonchik Tsymzhitov added a comment - 01/Nov/2020 5:53 PM

Just curious it was regression of ~~JRASERVER-44644~~ ?

Gonchik Tsymzhitov added a comment - 01/Nov/2020 5:53 PM Just curious it was regression of JRASERVER-44644 ?

Naman Mandli added a comment - 19/Oct/2020 7:54 PM

Is there any workaround for this vulnerability ?

Naman Mandli added a comment - 19/Oct/2020 7:54 PM Is there any workaround for this vulnerability ?

AB added a comment - 16/Sep/2020 3:15 AM

CVSS v3 score: 5.3 => Medium severity

Exploitability Metrics

Attack Vector	Network
Attack Complexity	Low
Privileges Required	None
User Interaction	None

Scope Metric

Scope	Unchanged

Impact Metrics

Confidentiality	Low
Integrity	None
Availability	None

See http://go.atlassian.com/cvss for more details.

https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

AB added a comment - 16/Sep/2020 3:15 AM CVSS v3 score: 5.3 => Medium severity Exploitability Metrics Attack Vector Network Attack Complexity Low Privileges Required None User Interaction None Scope Metric Scope Unchanged Impact Metrics Confidentiality Low Integrity None Availability None See http://go.atlassian.com/cvss for more details. https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Assignee:: Unassigned

Reporter:: AB

Affected customers:: 0 This affects my team

Watchers:: 16 Start watching this issue

Created:: 16/Sep/2020 3:13 AM

Updated:: 10/Jan/2024 4:09 AM

Resolved:: 16/Sep/2020 3:13 AM

Details

Description

Attachments

Issue Links

Forms

Activity

[JRASERVER-71560] User Enumeration via /ViewUserHover.jspa - CVE-2020-14181

Collapse comment: Swesh InfoSec added a comment - 10/Jan/2024 4:09 AM

Expand comment: Swesh InfoSec added a comment - 10/Jan/2024 4:09 AM

Collapse comment: . added a comment - 24/Mar/2021 12:57 PM

Expand comment: . added a comment - 24/Mar/2021 12:57 PM

Collapse comment: Gonchik Tsymzhitov added a comment - 01/Nov/2020 5:53 PM

Expand comment: Gonchik Tsymzhitov added a comment - 01/Nov/2020 5:53 PM

Collapse comment: Naman Mandli added a comment - 19/Oct/2020 7:54 PM

Expand comment: Naman Mandli added a comment - 19/Oct/2020 7:54 PM

Collapse comment: AB added a comment - 16/Sep/2020 3:15 AM

Expand comment: AB added a comment - 16/Sep/2020 3:15 AM

People

Dates