Uploaded image for project: 'Jira Service Management Data Center'
  1. Jira Service Management Data Center
  2. JSDSERVER-11900

User without "Browse Users" permission can view groups - CVE-2022-36800

XMLWordPrintable

    • 3.5
    • Medium
    • CVE-2022-36800

      Affected versions of Atlassian Jira Service Management Server and Data Center allow remote attackers without the "Browse Users" permission to view groups via an Information Disclosure vulnerability in the browsegroups.action endpoint.

      The affected versions are before version 4.22.2.

      Affected versions:

      • version < 4.22.2

      Fixed versions:

      • 4.22.2

            [JSDSERVER-11900] User without "Browse Users" permission can view groups - CVE-2022-36800

            Mandeep Jadon made changes -
            Remote Link New: This issue links to "Page (Confluence)" [ 733525 ]

            André Rossky added a comment -

            Howdi team,

            any update or details on fix and vulnerability for LTS versions?

            André Rossky added a comment - Howdi team, any update or details on fix and vulnerability for LTS versions?

            Marc Gebauer added a comment -

            Is the LTS-Version 4.20.x also affected? This isn't really clear with the facts from the description (< 4.22.2 - so affected) and the details-section (4.22.1 - no affected) in this issue.

            Marc Gebauer added a comment - Is the LTS-Version 4.20.x also affected? This isn't really clear with the facts from the description (< 4.22.2 - so affected) and the details-section (4.22.1 - no affected) in this issue.
            Security Metrics Bot made changes -
            CVE ID New: CVE-2022-36800
            AB made changes -
            Resolution New: Fixed [ 1 ]
            Security Original: Atlassian Staff [ 10750 ]
            Status Original: Draft [ 12872 ] New: Published [ 12873 ]
            AB made changes -
            Summary Original: User without "Browse Users" permission can view groups - CVE registration for this issue is already in progress New: User without "Browse Users" permission can view groups - CVE-2022-36800
            AB made changes -
            Description Original: Affected versions of Atlassian Jira Service Management Server allow remote attackers without the "Browse Users" permission to view groups via an Information Disclosure vulnerability in the _browsegroups.action_ endpoint.

            The affected versions are before version 4.22.2.

            *Affected versions:*
             * version < 4.22.2

            *Fixed versions:*
             * 4.22.2             		New: Affected versions of Atlassian Jira Service Management Server and Data Center allow remote attackers without the "Browse Users" permission to view groups via an Information Disclosure vulnerability in the _browsegroups.action_ endpoint.

            The affected versions are before version 4.22.2.

            *Affected versions:*
             * version < 4.22.2

            *Fixed versions:*
             * 4.22.2
            Security Metrics Bot made changes -
            Labels Original: advisory advisory-to-release dont-import security New: advisory advisory-to-release dont-import security 🔢✅

            Security Metrics Bot added a comment -

            This is an independent assessment and you should evaluate its applicability to your own IT environment.

            CVSS v3 score: 3.5 => Low severity

            Exploitability Metrics

            Attack Vector Network
            Attack Complexity Low
            Privileges Required Low
            User Interaction Required

            Scope Metric

            Scope Unchanged

            Impact Metrics

            Confidentiality Low
            Integrity None
            Availability None

            https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N

            Security Metrics Bot added a comment - This is an independent assessment and you should evaluate its applicability to your own IT environment. CVSS v3 score: 3.5 => Low severity Exploitability Metrics Attack Vector Network Attack Complexity Low Privileges Required Low User Interaction Required Scope Metric Scope Unchanged Impact Metrics Confidentiality Low Integrity None Availability None https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N
            AB made changes -
            Description Original: Affected versions of Atlassian Jira Service Management Server allow remote attackers without the "Browse Users" permission to view groups via an Information Disclosure vulnerability in the _browsegroups.action_ endpoint.

            The affected versions are before version 4.22.2.

            *{*}Affected versions:{*}*
             * version < 4.22.2

            *{*}Fixed versions:{*}*
             * 4.22.2             		New: Affected versions of Atlassian Jira Service Management Server allow remote attackers without the "Browse Users" permission to view groups via an Information Disclosure vulnerability in the _browsegroups.action_ endpoint.

            The affected versions are before version 4.22.2.

            *Affected versions:*
             * version < 4.22.2

            *Fixed versions:*
             * 4.22.2

              Unassigned Unassigned
              security-metrics-bot Security Metrics Bot
              Votes:
              0 Vote for this issue
              Watchers:
              9 Start watching this issue

                Created:
                Updated:
                Resolved: