• Type: Public Security Vulnerability
• Resolution: Fixed
• Priority: Low (View bug fix roadmap)
• Fix Version/s: 8.15.0
• Affects Version/s: 8.5.0, 8.13.0
• Component/s: None
• Labels:

  • CVE-2020-36237
  • advisory
  • advisory-to-release
  • dont-import
  • lts-backport
  • security

[JRASERVER-72064] Custom field options are exposed via an unauthenticated REST API endpoint - CVE-2020-36237

Collapse comment: Russell Berry added a comment - 18/Oct/2021 11:58 AM

Russell Berry added a comment - 18/Oct/2021 11:58 AM

Qualys is flagging this issue as QID 150370.

 

Expand comment: Russell Berry added a comment - 18/Oct/2021 11:58 AM

Russell Berry added a comment - 18/Oct/2021 11:58 AM Qualys is flagging this issue as QID 150370.  

Collapse comment: Ravi Dahal added a comment - 20/Aug/2021 6:54 AM

Ravi Dahal added a comment - 20/Aug/2021 6:54 AM

Is this Fix available for LTS 8.13.x?

Expand comment: Ravi Dahal added a comment - 20/Aug/2021 6:54 AM

Ravi Dahal added a comment - 20/Aug/2021 6:54 AM Is this Fix available for LTS 8.13.x?

Collapse comment: Fritz Meier added a comment - 23/Jun/2021 11:48 AM

Fritz Meier added a comment - 23/Jun/2021 11:48 AM

Any news about a fix in the Long Term Support Version

Expand comment: Fritz Meier added a comment - 23/Jun/2021 11:48 AM

Fritz Meier added a comment - 23/Jun/2021 11:48 AM Any news about a fix in the Long Term Support Version

Collapse comment: LPS Config Team added a comment - 14/May/2021 9:21 AM

LPS Config Team added a comment - 14/May/2021 9:21 AM

Why is this not fixed for 8.13.x?

Expand comment: LPS Config Team added a comment - 14/May/2021 9:21 AM

LPS Config Team added a comment - 14/May/2021 9:21 AM Why is this not fixed for 8.13.x?

Collapse comment: Russell Berry added a comment - 12/Apr/2021 2:26 PM

Russell Berry added a comment - 12/Apr/2021 2:26 PM

More than three months and two updates of the Long Term Support release later and this is still not fixed.

Expand comment: Russell Berry added a comment - 12/Apr/2021 2:26 PM

Russell Berry added a comment - 12/Apr/2021 2:26 PM More than three months and two updates of the Long Term Support release later and this is still not fixed.

Collapse comment: Emilio Palmiero added a comment - 09/Mar/2021 3:42 PM

Emilio Palmiero added a comment - 09/Mar/2021 3:42 PM

Will this be backported to 8.13.x?

Expand comment: Emilio Palmiero added a comment - 09/Mar/2021 3:42 PM

Emilio Palmiero added a comment - 09/Mar/2021 3:42 PM Will this be backported to 8.13.x?

Collapse comment: Gunasekaran Subramanian added a comment - 18/Feb/2021 9:29 AM

Gunasekaran Subramanian added a comment - 18/Feb/2021 9:29 AM

 Is there any fix version available at LTS for this issue?

Expand comment: Gunasekaran Subramanian added a comment - 18/Feb/2021 9:29 AM

Gunasekaran Subramanian added a comment - 18/Feb/2021 9:29 AM  Is there any fix version available at LTS for this issue?

Collapse comment: AB added a comment - 04/Feb/2021 1:32 AM

AB added a comment - 04/Feb/2021 1:32 AM

This is an independent assessment and you should evaluate its applicability to your own IT environment. 

CVSS v3 score: 5.3 => Medium severity

Exploitability Metrics

Attack Vector	Network
Attack Complexity	Low
Privileges Required	None
User Interaction	None

Scope Metric

Scope	Unchanged

Impact Metrics

Confidentiality	Low
Integrity	None
Availability	None

Expand comment: AB added a comment - 04/Feb/2021 1:32 AM

AB added a comment - 04/Feb/2021 1:32 AM This is an independent assessment and you should evaluate its applicability to your own IT environment.  CVSS v3 score: 5.3 => Medium severity Exploitability Metrics Attack Vector Network Attack Complexity Low Privileges Required None User Interaction None Scope Metric Scope Unchanged Impact Metrics Confidentiality Low Integrity None Availability None