[JRASERVER-71560] User Enumeration via /ViewUserHover.jspa - CVE-2020-14181 - Create and track feature requests for Atlassian products.

XML

Word

Printable

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Low
Resolution: Fixed
Affects Version/s: 5.0
Fix Version/s: 8.12.0, 7.13.16, 8.5.7
Component/s: Project Administration - Components
Labels:

Fixed in Long Term Support Release/s:

Download 7.13, 8.5
Introduced in Version:
5
Symptom Severity:
Severity 3 - Minor
Bug Fix Policy:
View Atlassian Server bug fix policy

Description

Affected versions of Atlassian Jira Server and Data Center allow an unauthenticated user to enumerate users via an Information Disclosure vulnerability in the /ViewUserHover.jspa endpoint.

This vulnerability was discovered by Mikhail Klyuchnikov of Positive Technologies.

Affected versions:

version < 7.13.16
8.0.0 ≤ version < 8.5.7
8.6.0 ≤ version < 8.12.0

Fixed versions:

7.13.16
8.5.7
8.12.0

Attachments

Issue Links

is detailed by: VULN-164855 Loading...

Activity

People

Assignee:: Unassigned

Reporter:: Anton 🆎 (AU)

Votes:: 0 Vote for this issue

Watchers:: 11 Start watching this issue

Dates

Created:: 16/Sep/2020 3:13 AM

Updated:: 27/Nov/2020 12:54 PM

Resolved:: 16/Sep/2020 3:13 AM