Lucene search

Security-metrics-botJRASERVER-69239

HistoryApr 29, 2019 - 3:27 a.m.

Permissions bypass in the inline-create rest resource - CVE-2018-20826

2019-04-2903:27:54

security-metrics-bot

jira.atlassian.com

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:S/C:N/I:P/A:N

CVSS3

4.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

EPSS

0.001

Percentile

39.5%

JSON

The inline-create rest resource in Jira before version 7.12.3 allows authenticated remote attackers to set the reporter in issues via a missing authorisation check.

Affected configurations

Vulners

Node

atlassianjira_data_centerRange≤7.8.0

atlassianjira_data_centerRange≤7.10.1

atlassianjira_data_centerRange<7.13.0

atlassianjira_data_centerRange<7.12.3

atlassianjira_data_centerRange<8.0.0

VendorProductVersionCPE
atlassianjira_data_center*cpe:2.3:a:atlassian:jira_data_center:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
atlassian	jira_data_center	*	cpe:2.3:a:atlassian:jira_data_center::::::::

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:S/C:N/I:P/A:N

CVSS3

4.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

EPSS

0.001

Percentile

39.5%

JSON

Related for JRASERVER-69239