Uploaded image for project: 'Jira Data Center'
  1. Jira Data Center
  2. JRASERVER-71950

Mobile site reveals the summary titles of privately linked tickets - CVE-2020-36235

XMLWordPrintable

    • 5.3
    • Medium
    • CVE-2020-36235

      Affected versions of Atlassian Jira Server and Data Center allow unauthenticated remote attackers to view custom field and custom SLA names via an Information Disclosure vulnerability in the mobile site view.

       

      The affected versions are before version 8.13.2, and from version 8.14.0 before 8.14.1.

       

      Affected versions:

      • version < 8.13.2
      • 8.14.0 ≤ version < 8.14.1

      Fixed versions:

      • 8.13.2
      • 8.14.1
      • 8.15.0  

            [JRASERVER-71950] Mobile site reveals the summary titles of privately linked tickets - CVE-2020-36235

            Security Metrics Bot made changes -
            CVE ID New: CVE-2020-36235
            AB made changes -
            Security Original: Reporter and Atlassian Staff [ 10751 ]
            AB made changes -
            Labels New: cve-2020-36235
            AB made changes -
            Summary Original: Mobile site reveals the summary titles of privately linked tickets - CVE-PENDING New: Mobile site reveals the summary titles of privately linked tickets - CVE-2020-36235
            David Black made changes -
            Security New: Reporter and Atlassian Staff [ 10751 ]
            AB made changes -
            Security Original: Atlassian Staff [ 10750 ]

            AB added a comment -

            This is an independent assessment and you should evaluate its applicability to your own IT environment.

            CVSS v3 score: 5.3 => Medium severity

            Exploitability Metrics

            Attack Vector Network
            Attack Complexity Low
            Privileges Required None
            User Interaction None

            Scope Metric

            Scope Unchanged

            Impact Metrics

            Confidentiality Low
            Integrity None
            Availability None

            https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

             

            AB added a comment - This is an independent assessment and you should evaluate its applicability to your own IT environment. CVSS v3 score: 5.3 => Medium severity Exploitability Metrics Attack Vector Network Attack Complexity Low Privileges Required None User Interaction None Scope Metric Scope Unchanged Impact Metrics Confidentiality Low Integrity None Availability None https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N  
            AB made changes -
            Resolution New: Fixed [ 1 ]
            Status Original: Draft [ 12872 ] New: Published [ 12873 ]
            AB made changes -
            Summary Original: Mobile site reveals the summary titles of privately linked tickets New: Mobile site reveals the summary titles of privately linked tickets - CVE-PENDING
            AB made changes -
            Description Original: Affected versions of Atlassian Jira Server and Data Center allow remote attackers to view sensitive information via an Information Disclosure vulnerability in the custom field and custom SLA names.

             

            The affected versions are before version 8.13.2, and from version 8.14.0 before 8.14.1.

             

            *Affected versions:*
             * version < 8.13.2
             * 8.14.0 ≤ version < 8.14.1

            *Fixed versions:*
             * 8.13.2
             * 8.14.1
             * 8.15.0               		New: Affected versions of Atlassian Jira Server and Data Center allow unauthenticated remote attackers to view custom field and custom SLA names via an Information Disclosure vulnerability in the mobile site view.

             

            The affected versions are before version 8.13.2, and from version 8.14.0 before 8.14.1.

             

            *Affected versions:*
             * version < 8.13.2
             * 8.14.0 ≤ version < 8.14.1

            *Fixed versions:*
             * 8.13.2
             * 8.14.1
             * 8.15.0  

              Unassigned Unassigned
              security-metrics-bot Security Metrics Bot
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated:
                Resolved: