Lucene search

K
atlassianSecurity-metrics-botJRASERVER-71536
HistorySep 10, 2020 - 4:31 a.m.

Sensitive data exposure via /secure/QueryComponent!Default.jspa endpoint - CVE-2020-14179

2020-09-1004:31:31
security-metrics-bot
jira.atlassian.com
86

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

5.4 Medium

AI Score

Confidence

High

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

0.963 High

EPSS

Percentile

99.5%

h3. Summary

Affected versions of Atlassian Jira Server and Data Center allow remote, unauthenticated attackers to view custom field names and custom SLA names via an Information Disclosure vulnerability in the /secure/QueryComponent!Default.jspa endpoint.
h3. Affected versions:

  • version < 8.5.8
  • 8.6.0 ≤ version < 8.11.1

h4. Fixed versions:

  • 8.5.8
  • 8.11.1 and above, including 8.13.x

h3. Note on fix

We’ve been unable to fully fix this issue due to short SLA and possible performance problems that fix could introduce. Please check the workaround section for mitigation steps.
h3. Workaround - Fix Versions

To workaround this bug on Jira versions listed in “fixed in versions” above, one of the two techniques can be used:

h3. Workaround - Non-fix versions

If you are running Jira that is below one of the “fixed in versions” above and should not be open to unauthenticated users, you may block the affected endpoint from anonymous users by using the URL rewrite system.

First, add the public.access.disabled [dark feature|https://confluence.atlassian.com/jirakb/how-to-control-anonymous-user-access-in-a-public-jira-instance-975031479.html] as above. This blocks access to the Jira issue navigator when unauthenticated.

Then, on each node, block the QueryComponent endpoints:

Edit the file JIRA_INSTALL/atlassian-jira/WEB-INF/urlrewrite.xml

Insert a new rule, directly underneath the last </rule> line (but before the </urlrewrite> line):

{code:java}
<rule>
<from>(?s)/QueryComponent!.*.jspa</from>
<condition type=“session-attribute” name=“seraph_defaultauthenticator_user” operator=“notequal”>.+</condition>
<set type=“status”>403</set>
<to>null</to>
</rule>
{code}

Restart the node

(i) If for whatever reason you have scripted basic authentication calls to these endpoints (EG, python/curl requests), they will all be blocked, authenticated or not.

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

5.4 Medium

AI Score

Confidence

High

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

0.963 High

EPSS

Percentile

99.5%