-
Public Security Vulnerability
-
Resolution: Fixed
-
Low
-
4.20.3
-
None
-
4.3
-
Medium
Affected versions of Atlassian Jira Service Management Server and Data Center allow an authenticated attacker who doesn't have permission to access a project to view the names of private projects via an Information Disclosure vulnerability in the /rest/insight/1.0/project/picker endpoint.
Affected versions:
- version < 4.20.4
Fixed versions:
- 4.20.4
| Form Name | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
[JSDSERVER-11206] REST API Endpoint Leaked private project to unauthorized user
| Resolution | New: Fixed [ 1 ] | |
| Security | Original: Atlassian Staff [ 10750 ] | |
| Status | Original: Draft [ 12872 ] | New: Published [ 12873 ] |
| Description |
Original:
Affected versions of Atlassian Jira Service Management Server and Data Center allow an authenticated attacker who doesn't have permission to access a project to view the names of private projects via an Information Disclosure vulnerability in the {{/rest/insight/1.0/project/picker}} endpoint.
*Affected versions:* - [list version ranges\{^}¶\{^}] *Fixed versions:* - 4.20.4 |
New:
Affected versions of Atlassian Jira Service Management Server and Data Center allow an authenticated attacker who doesn't have permission to access a project to view the names of private projects via an Information Disclosure vulnerability in the {{/rest/insight/1.0/project/picker}} endpoint.
*Affected versions:* - version < 4.20.4 *Fixed versions:* - 4.20.4 |
| Description |
Original:
Affected versions of Atlassian [$product] [Cloud, Desktop, or Server and Data Center?] allow [what kind of attacker?*] to [do something bad†] via a [type of vulnerability{^}§{^}] in the [$blah component | $blah feature | $blah endpoint].
[Credit for an external reporter who told us about the bug, if they agree to be credited, e.g. “This vulnerability was reported by Jane Doe of The FooBar Corporation.”] [Optional workaround information] *Affected versions:* - [list version ranges{^}¶{^}] *Fixed versions:* - [list version ranges{^}¶{^}] |
New:
Affected versions of Atlassian Jira Service Management Server and Data Center allow an authenticated attacker who doesn't have permission to access a project to view the names of private projects via an Information Disclosure vulnerability in the {{/rest/insight/1.0/project/picker}} endpoint.
*Affected versions:* - [list version ranges\{^}¶\{^}] *Fixed versions:* - 4.20.4 |
| Description |
Original:
This vulnerability affects certain versions of Atlassian Jira Service Management Server. Please describe the impact of the vulnerability here. No known vulnerability could be read off of the parent. |
New:
Affected versions of Atlassian [$product] [Cloud, Desktop, or Server and Data Center?] allow [what kind of attacker?*] to [do something bad†] via a [type of vulnerability{^}§{^}] in the [$blah component | $blah feature | $blah endpoint].
[Credit for an external reporter who told us about the bug, if they agree to be credited, e.g. “This vulnerability was reported by Jane Doe of The FooBar Corporation.”] [Optional workaround information] *Affected versions:* - [list version ranges{^}¶{^}] *Fixed versions:* - [list version ranges{^}¶{^}] |
| Labels | New: advisory advisory-to-release dont-import security |
This is an independent assessment and you should evaluate its applicability to your own IT environment.
CVSS v3 score: 4.3 => Medium severity
Exploitability Metrics
Scope Metric
Impact Metrics
https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N