F956e0e022e9ATLASSIAN:JRASERVER-73060Information Disclosure ever after CVE-2020-14179/JRASERVER-71536
5.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
h3. Issue Summary
Unauthorized access to data from the following API even if the public.access.disabled is enabled.
/rest/api/2/projectCategory
/rest/api/2/resolution
/rest/menu/latest/admin
h3. Steps to Reproduce
- Install Jira 8.13.9 with H2 database
- Create a project and some Project categories
- Run the API call âhttp://localhost:48139/j8139/rest/api/2/projectCategoryâ without the username and password.
h3. Expected Results
- Unauthorised access and the data should not be visible.
h3. Actual Results
- Project categories, resolutions, and usernames are listed even if the API is not authenticated
h3. Workaround
Currently, there is no known workaround for this behavior. A workaround will be added here when available
| CPE | Name | Operator | Version |
|---|---|---|---|
| jira server and data center | le | 8.13.9 |
Related
5.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N