[%22Issue] User without "Browse Users" permission can view groups - CVE-2022-36800 - Create and track feature requests for Atlassian products.

Type: Public Security Vulnerability
Resolution: Fixed
Priority: Low
Fix Version/s: 4.22.2
Affects Version/s: 4.22.1
Component/s: None
Labels:

CVSS Score:
3.5
CVSS Severity:
Medium
CVE ID:
CVE-2022-36800

Affected versions of Atlassian Jira Service Management Server and Data Center allow remote attackers without the "Browse Users" permission to view groups via an Information Disclosure vulnerability in the browsegroups.action endpoint.

The affected versions are before version 4.22.2.

Affected versions:

version < 4.22.2

Fixed versions:

4.22.2

mentioned in: Page Failed to load

André Rossky added a comment - 15/Sep/2022 6:06 AM

Howdi team,

any update or details on fix and vulnerability for LTS versions?

André Rossky added a comment - 15/Sep/2022 6:06 AM Howdi team, any update or details on fix and vulnerability for LTS versions?

Marc Gebauer added a comment - 10/Aug/2022 4:54 AM

Is the LTS-Version 4.20.x also affected? This isn't really clear with the facts from the description (< 4.22.2 - so affected) and the details-section (4.22.1 - no affected) in this issue.

Marc Gebauer added a comment - 10/Aug/2022 4:54 AM Is the LTS-Version 4.20.x also affected? This isn't really clear with the facts from the description (< 4.22.2 - so affected) and the details-section (4.22.1 - no affected) in this issue.

Security Metrics Bot added a comment - 27/Jul/2022 1:46 PM

This is an independent assessment and you should evaluate its applicability to your own IT environment.

CVSS v3 score: 3.5 => Low severity

Exploitability Metrics

Attack Vector	Network
Attack Complexity	Low
Privileges Required	Low
User Interaction	Required

Scope Metric

Scope	Unchanged

Impact Metrics

Confidentiality	Low
Integrity	None
Availability	None

https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N

Security Metrics Bot added a comment - 27/Jul/2022 1:46 PM This is an independent assessment and you should evaluate its applicability to your own IT environment. CVSS v3 score: 3.5 => Low severity Exploitability Metrics Attack Vector Network Attack Complexity Low Privileges Required Low User Interaction Required Scope Metric Scope Unchanged Impact Metrics Confidentiality Low Integrity None Availability None https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N

Assignee:: Unassigned

Reporter:: Security Metrics Bot

Votes:: 0 Vote for this issue

Watchers:: 9 Start watching this issue

Created:: 27/Jul/2022 1:53 AM

Updated:: 21/Feb/2023 3:41 PM

Resolved:: 03/Aug/2022 4:12 AM

Details

Description

Attachments

Issue Links

Forms

Activity

[JSDSERVER-11900] User without "Browse Users" permission can view groups - CVE-2022-36800

Collapse comment: André Rossky added a comment - 15/Sep/2022 6:06 AM

Expand comment: André Rossky added a comment - 15/Sep/2022 6:06 AM

Collapse comment: Marc Gebauer added a comment - 10/Aug/2022 4:54 AM

Expand comment: Marc Gebauer added a comment - 10/Aug/2022 4:54 AM

Collapse comment: Security Metrics Bot added a comment - 27/Jul/2022 1:46 PM

Expand comment: Security Metrics Bot added a comment - 27/Jul/2022 1:46 PM

People

Dates

Backbone Issue Sync