[%22Issue] Custom field options are exposed via an unauthenticated REST API endpoint - CVE-2020-36237 - Create and track feature requests for Atlassian products.

Type: Public Security Vulnerability
Resolution: Fixed
Priority: Low (View bug fix roadmap)
Fix Version/s: 8.15.0
Affects Version/s: 8.5.0, 8.13.0
Component/s: None
Labels:

CVSS Score:
5
CVSS Severity:
Medium
CVE ID:
CVE-2020-36237

Affected versions of Atlassian Jira Server and Data Center allow unauthenticated remote attackers to view custom field options via an Information Disclosure vulnerability in the /rest/api/2/customFieldOption/ endpoint.

The affected versions are before version 8.15.0.

Affected versions:

version < 8.15.0

Fixed versions:

8.15.0

is related to: JSEC-122 You do not have permission to view this issue

mentioned in: Page Failed to load

Form Name

Russell Berry added a comment - 18/Oct/2021 11:58 AM

Qualys is flagging this issue as QID 150370.

Russell Berry added a comment - 18/Oct/2021 11:58 AM Qualys is flagging this issue as QID 150370.

Geoff made changes - 05/Oct/2021 7:18 PM

Remote Link

New: This issue links to "Page (Confluence)" [ 589044 ]

Security Metrics Bot made changes - 01/Sep/2021 6:01 AM

CVE ID

New: CVE-2020-36237

Ravi Dahal added a comment - 20/Aug/2021 6:54 AM

Is this Fix available for LTS 8.13.x?

Ravi Dahal added a comment - 20/Aug/2021 6:54 AM Is this Fix available for LTS 8.13.x?

Andriy Yakovlev [Atlassian] made changes - 10/Aug/2021 10:06 AM

Remote Link

New: This issue links to "JSEC-122 (JIRA Server (Bulldog))" [ 571714 ]

Andriy Yakovlev [Atlassian] made changes - 10/Aug/2021 10:05 AM

Labels

Original: CVE-2020-36237 advisory advisory-to-release dont-import security

New: CVE-2020-36237 advisory advisory-to-release dont-import lts-backport security

Fritz Meier added a comment - 23/Jun/2021 11:48 AM

Any news about a fix in the Long Term Support Version

Fritz Meier added a comment - 23/Jun/2021 11:48 AM Any news about a fix in the Long Term Support Version

LPS Config Team added a comment - 14/May/2021 9:21 AM

Why is this not fixed for 8.13.x?

LPS Config Team added a comment - 14/May/2021 9:21 AM Why is this not fixed for 8.13.x?

Russell Berry added a comment - 12/Apr/2021 2:26 PM

More than three months and two updates of the Long Term Support release later and this is still not fixed.

Russell Berry added a comment - 12/Apr/2021 2:26 PM More than three months and two updates of the Long Term Support release later and this is still not fixed.

Emilio Palmiero added a comment - 09/Mar/2021 3:42 PM

Will this be backported to 8.13.x?

Emilio Palmiero added a comment - 09/Mar/2021 3:42 PM Will this be backported to 8.13.x?

Assignee:: Unassigned

Reporter:: Security Metrics Bot

Votes:: 0 Vote for this issue

Watchers:: 19 Start watching this issue

Created:: 04/Feb/2021 1:15 AM

Updated:: 25/Oct/2021 10:16 PM

Resolved:: 04/Feb/2021 1:32 AM

Details

Description

Attachments

Issue Links

Forms

Activity

[JRASERVER-72064] Custom field options are exposed via an unauthenticated REST API endpoint - CVE-2020-36237

Collapse comment: Russell Berry added a comment - 18/Oct/2021 11:58 AM

Expand comment: Russell Berry added a comment - 18/Oct/2021 11:58 AM

Collapse comment: Ravi Dahal added a comment - 20/Aug/2021 6:54 AM

Expand comment: Ravi Dahal added a comment - 20/Aug/2021 6:54 AM

Collapse comment: Fritz Meier added a comment - 23/Jun/2021 11:48 AM

Expand comment: Fritz Meier added a comment - 23/Jun/2021 11:48 AM

Collapse comment: LPS Config Team added a comment - 14/May/2021 9:21 AM

Expand comment: LPS Config Team added a comment - 14/May/2021 9:21 AM

Collapse comment: Russell Berry added a comment - 12/Apr/2021 2:26 PM

Expand comment: Russell Berry added a comment - 12/Apr/2021 2:26 PM

Collapse comment: Emilio Palmiero added a comment - 09/Mar/2021 3:42 PM

Expand comment: Emilio Palmiero added a comment - 09/Mar/2021 3:42 PM

People

Dates