Uploaded image for project: 'Jira Data Center'
  1. Jira Data Center
  2. JRASERVER-72272

Information Disclosure using JQL function membersOf - CVE-2020-36286

    XMLWordPrintable

Details

    Description

      The membersOf JQL search function in Jira Server and Data Center before version 8.5.13, from version 8.6.0 before version 8.13.5, and from version 8.14.0 before version 8.15.1 allows remote anonymous attackers to determine if a group exists & members of groups if they are assigned to a publicly visible issue field.

      Affected versions:

      • version < 8.5.13
      • 8.6.0 ≤ version < 8.13.5
      • 8.14.0 ≤ version < 8.15.1

      Fixed versions:

      • 8.5.13
      • 8.13.5
      • 8.15.1  

      Attachments

        Issue Links

          is related to

          Public Security Vulnerability - JRASERVER-72293 Anonymous users are able to view user information through the /rest/api/2/search endpoint - CVE-2021-39122

          • Low - Low priority issues
          • Published
          relates to

          VULN-204886 Loading...

          Activity

            People

              Unassigned Unassigned
              dblack David Black
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: