-
Bug
-
Resolution: Fixed
-
Medium (View bug fix roadmap)
-
8.13.10, 9.4.0, 9.4.9
-
8.13
-
3
-
Severity 2 - Major
-
3
-
We have found during testing that by sending a fake header with a domain name (supplying as a suffix (i.e. attack.eu)) into the Host header field, the web server processes the input to send the request to an attacker-controlled host that resides at the supplied domain, and not to an internal virtual host that resides on the web server.
Affected versions:
- 8.13.10
Earlier fixed versions:
- 7.13.16
- 8.5.7
- 8.9.2
- 8.10.1
- 8.11.0
- is cloned from
-
-
- Closed
-
- followed by
-
SEF-15650 You do not have permission to view this issue
[JRASERVER-73811] IDOR (Insecure direct object references) in Jira 8.13.10
| Labels | Original: 2af advisory advisory-released bugbounty cve-2020-14174 cvss-low idor monsters security security-imported | New: 2af advisory advisory-released bugbounty cve-2020-14174 cvss-low idor monsters resolved-in-vf security security-imported |
| Fix Version/s | New: 8.15.0 [ 92948 ] |
| Fix Version/s | New: 8.13.2 [ 92949 ] |
| Resolution | New: Fixed [ 1 ] | |
| Status | Original: Short Term Backlog [ 12074 ] | New: Closed [ 6 ] |
| Remote Link | New: This issue links to "Page (Confluence)" [ 963362 ] |
| UIS | Original: 6 | New: 3 |
| UIS | Original: 7 | New: 6 |
| UIS | Original: 3 | New: 7 |
| Support reference count | Original: 2 | New: 3 |
| Affects Version/s | New: 9.4.0 [ 102402 ] | |
| Affects Version/s | New: 9.4.9 [ 105514 ] |