[JRASERVER-72014] Pre-Authorization Limited Arbitrary File Read in Jira Server - CVE-2020-29453 - Create and track feature requests for Atlassian products.

XML

Word

Printable

Details

Type: Public Security Vulnerability
Status: Published (View Workflow)
Priority: Low
Resolution: Fixed
Affects Version/s: 8.5.0
Fix Version/s: 8.5.11, 8.13.3, 8.15.0
Component/s: None
Labels:

CVSS Score:
5.3
CVSS Severity:
Medium
CVE ID:
CVE-2020-29453

Description

The CachingResourceDownloadRewriteRule class in Jira Server and Jira Data Center allowed unauthenticated remote attackers to read arbitrary files within WEB-INF and META-INF directories via an incorrect path access check.

Affected versions:

version < 8.5.11
8.6.0 ≤ version < 8.13.3
8.14.0 ≤ version < 8.15.0

Fixed versions:

8.5.11
8.13.3
8.15.0

This vulnerability is attributed to Amit Laish, a security researcher from GE Digital.

Attachments

Activity

People

Assignee:: Unassigned

Reporter:: Security Metrics Bot

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Dates

Created:: 21/Jan/2021 5:58 PM

Updated:: 1 week ago 5:28 AM

Resolved:: 21/Jan/2021 7:33 PM