Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
atlassianSecurity-metrics-botJRASERVER-71175
HistoryJun 12, 2020 - 8:05 p.m.

Information disclosure in Login - CVE-2020-4028

2020-06-1220:05:39
security-metrics-bot
jira.atlassian.com
16

CVSS2

5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

EPSS

0.001

Percentile

47.2%

JSON

Users without session information should be pushed to the login page.
Affected versions of Atlassian Jira Server and Data Center allow remote attackers to view sensitive information via an Information Disclosure vulnerability in Login.

Affected versions:

  • version < 8.9.1

Fixed versions:

  • 8.9.1
  • 8.10.0
  • 8.11.0

Notes:

If the fix is causing problems it can be disabled by [adding to Jira a dark feature flag|https://confluence.atlassian.com/jirakb/enable-dark-feature-in-jira-959286331.html]
{code:java}
jira.redirect.anonymous.404.errors.disabled
{code}
The fix is available in LTS versions - 7.13.15+ and 8.5.6+ but will be disabled. The fix can be enabled by [adding to Jira a dark feature flag|https://confluence.atlassian.com/jirakb/enable-dark-feature-in-jira-959286331.html]
{code:java}
jira.redirect.anonymous.404.errors.enabled{code}
Both feature flags can be [added by admin via site &lt;jira_directory&gt;/secure/SiteDarkFeatures!default.jspa|https://confluence.atlassian.com/jirakb/enable-dark-feature-in-jira-959286331.html]

Affected configurations

Vulners
Node
atlassianjira_data_centerRange7.10.2
OR
atlassianjira_data_centerRange8.5.0
OR
atlassianjira_data_centerRange<8.10.0
OR
atlassianjira_data_centerRange<8.9.1
OR
atlassianjira_data_centerRange<8.11.0
OR
atlassianjira_data_centerRange<8.5.6
VendorProductVersionCPE
atlassianjira_data_center*cpe:2.3:a:atlassian:jira_data_center:*:*:*:*:*:*:*:*

Related

cve 1
atlassian 1
prion 1
cvelist 1
nvd 1
cve
cve
CVE-2020-4028
2020-06-23 13:15:17
atlassian
atlassian
Information disclosure in Login - CVE-2020-4028
2020-06-12 20:05:39
prion
prion
Information disclosure
2020-06-23 13:15:00
cvelist
cvelist
CVE-2020-4028
2020-06-23 12:55:12
nvd
nvd
CVE-2020-4028
2020-06-23 13:15:17

CVSS2

5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

EPSS

0.001

Percentile

47.2%

JSON
Related for JRASERVER-71175
cve1atlassian1prion1cvelist1nvd1