Affected versions of Jira Server & Data Center allow a remote attacker with limited (non-admin) privileges to view a Jira instance's Support Entitlement Number (SEN) via an Information Disclosure vulnerability in the HTTP Response headers.
*Affected versions:*
* version < 7.13.18
* 8.0.0 ≤ version < 8.5.9
* 8.6.0 ≤ version < 8.12.1
*Fixed versions:*
* 7.13.18
* 8.5.9
* 8.12.1
* 8.13.0
* 8.14.0
{"id": "JRASERVER-71646", "vendorId": null, "type": "atlassian", "bulletinFamily": "software", "title": "SEN disclosure via HTTP Response headers - CVE-2020-14183", "description": "Affected versions of Jira Server & Data Center allow a remote attacker with limited (non-admin) privileges to view a Jira instance's Support Entitlement Number (SEN) via an Information Disclosure vulnerability in the HTTP Response headers.\r\n\r\n*Affected versions:*\r\n * version < 7.13.18\r\n * 8.0.0 \u2264 version < 8.5.9\r\n * 8.6.0 \u2264 version < 8.12.1\r\n\r\n*Fixed versions:*\r\n * 7.13.18\r\n * 8.5.9\r\n * 8.12.1\r\n * 8.13.0\r\n * 8.14.0", "published": "2020-10-05T20:20:56", "modified": "2021-03-08T15:34:03", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 4.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "MEDIUM", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4}, "href": "https://jira.atlassian.com/browse/JRASERVER-71646", "reporter": "mandreacchio", "references": [], "cvelist": ["CVE-2020-14183"], "immutableFields": [], "lastseen": "2022-01-05T06:15:08", "viewCount": 3, "enchantments": {"dependencies": {"references": [{"type": "atlassian", "idList": ["ATLASSIAN:JRASERVER-71646"]}, {"type": "cve", "idList": ["CVE-2020-14183"]}, {"type": "nessus", "idList": ["JIRA_JRASERVER-71646.NASL", "WEB_APPLICATION_SCANNING_112850", "WEB_APPLICATION_SCANNING_112851", "WEB_APPLICATION_SCANNING_112852"]}], "rev": 4}, "score": {"value": 4.3, "vector": "NONE"}, "backreferences": {"references": [{"type": "atlassian", "idList": ["ATLASSIAN:JRASERVER-71646"]}, {"type": "cve", "idList": ["CVE-2020-14183"]}, {"type": "nessus", "idList": ["WEB_APPLICATION_SCANNING_112850", "WEB_APPLICATION_SCANNING_112851", "WEB_APPLICATION_SCANNING_112852"]}]}, "exploitation": null, "affected_software": {"major_version": [{"name": "jira server and data center", "version": 6}, {"name": "jira server and data center", "version": 8}, {"name": "jira server and data center", "version": 8}, {"name": "jira server and data center", "version": 7}, {"name": "jira server and data center", "version": 8}, {"name": "jira server and data center", "version": 8}]}, "vulnersScore": 4.3}, "affectedSoftware": [{"version": "6.4.1", "operator": "le", "name": "jira server and data center"}, {"version": "8.12.1", "operator": "lt", "name": "jira server and data center"}, {"version": "8.13.0", "operator": "lt", "name": "jira server and data center"}, {"version": "7.13.18", "operator": "lt", "name": "jira server and data center"}, {"version": "8.5.9", "operator": "lt", "name": "jira server and data center"}, {"version": "8.14.0", "operator": "lt", "name": "jira server and data center"}], "_state": {"dependencies": 1646517327, "score": 1659853389, "affected_software_major_version": 1666695388}, "_internal": {"score_hash": "02a1b08e4bd29235c9ef9522bd6aa488"}}
{"nessus": [{"lastseen": "2023-01-11T14:51:22", "description": "According to its self-reported version number, the instance of Atlassian Jira hosted on the remote web server is prior to 7.3.18, 8.x < 8.5.9 or 8.6.x < 8.12.1. It is, therefore, affected by an information disclosure vulnerability in the HTTP Response headers allowing a remote attacker with limited privileges to view a Jira instance's Support Entitlement Number (SEN).\n\nNote that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 4.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2021-07-02T00:00:00", "type": "nessus", "title": "Atlassian Jira < 7.13.18 Support Entitlement Number Disclosure", "bulletinFamily": "scanner", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.0, "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-14183"], "modified": "2022-10-26T00:00:00", "cpe": ["cpe:2.3:a:atlassian:jira:*:*:*:*:*:*:*:*"], "id": "WEB_APPLICATION_SCANNING_112850", "href": "https://www.tenable.com/plugins/was/112850", "sourceData": "No source data", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N"}}, {"lastseen": "2023-01-11T14:51:26", "description": "According to its self-reported version number, the instance of Atlassian Jira hosted on the remote web server is prior to 7.3.18, 8.x < 8.5.9 or 8.6.x < 8.12.1. It is, therefore, affected by an information disclosure vulnerability in the HTTP Response headers allowing a remote attacker with limited privileges to view a Jira instance's Support Entitlement Number (SEN).\n\nNote that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 4.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2021-07-02T00:00:00", "type": "nessus", "title": "Atlassian Jira 8.x < 8.5.9 Support Entitlement Number Disclosure", "bulletinFamily": "scanner", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.0, "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-14183"], "modified": "2022-10-26T00:00:00", "cpe": ["cpe:2.3:a:atlassian:jira:*:*:*:*:*:*:*:*"], "id": "WEB_APPLICATION_SCANNING_112851", "href": "https://www.tenable.com/plugins/was/112851", "sourceData": "No source data", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N"}}, {"lastseen": "2023-01-11T14:51:25", "description": "According to its self-reported version number, the instance of Atlassian Jira hosted on the remote web server is prior to 7.3.18, 8.x < 8.5.9 or 8.6.x < 8.12.1. It is, therefore, affected by an information disclosure vulnerability in the HTTP Response headers allowing a remote attacker with limited privileges to view a Jira instance's Support Entitlement Number (SEN).\n\nNote that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 4.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2021-07-02T00:00:00", "type": "nessus", "title": "Atlassian Jira 8.6.x < 8.12.1 Support Entitlement Number Disclosure", "bulletinFamily": "scanner", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.0, "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-14183"], "modified": "2022-10-26T00:00:00", "cpe": ["cpe:2.3:a:atlassian:jira:*:*:*:*:*:*:*:*"], "id": "WEB_APPLICATION_SCANNING_112852", "href": "https://www.tenable.com/plugins/was/112852", "sourceData": "No source data", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N"}}, {"lastseen": "2022-04-16T14:03:58", "description": "According to its self-reported version number, the instance of Atlassian JIRA hosted on the remote web server is potentially affected by Information Disclosure vulnerability. Affected versions of Jira Server & Data Center allow a remote attacker with limited (non-admin) privileges to view a Jira instance's Support Entitlement Number (SEN) via an Information Disclosure vulnerability in the HTTP Response headers.\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 4.3, "vector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"}, "published": "2020-11-27T00:00:00", "type": "nessus", "title": "Atlassian JIRA < 7.13.18 / 8.0.x < 8.5.9 / 8.6.x < 8.12.1 Information Disclosure (JRASERVER-71646)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-14183"], "modified": "2022-04-11T00:00:00", "cpe": ["cpe:/a:atlassian:jira"], "id": "JIRA_JRASERVER-71646.NASL", "href": "https://www.tenable.com/plugins/nessus/143272", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(143272);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/04/11\");\n\n script_cve_id(\"CVE-2020-14183\");\n script_xref(name:\"IAVA\", value:\"2020-A-0432\");\n\n script_name(english:\"Atlassian JIRA < 7.13.18 / 8.0.x < 8.5.9 / 8.6.x < 8.12.1 Information Disclosure (JRASERVER-71646)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server hosts a web application that is potentially affected by Information Disclosure vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its self-reported version number, the instance of Atlassian JIRA hosted on the remote web server is\npotentially affected by Information Disclosure vulnerability. Affected versions of Jira Server & Data Center allow\na remote attacker with limited (non-admin) privileges to view a Jira instance's Support Entitlement Number (SEN) via\nan Information Disclosure vulnerability in the HTTP Response headers.\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://jira.atlassian.com/browse/JRASERVER-71646\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Atlassian JIRA version 7.13.18 / 8.5.9 / 8.12.1 / 8.13.0 / 8.14.0 or later.\");\n script_set_attribute(attribute:\"agent\", value:\"all\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-14183\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/10/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/10/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/11/27\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"combined\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:atlassian:jira\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"jira_detect.nasl\", \"atlassian_jira_win_installed.nbin\", \"atlassian_jira_nix_installed.nbin\");\n script_require_keys(\"installed_sw/Atlassian JIRA\");\n\n exit(0);\n}\n\ninclude('vcf.inc');\n\napp_info = vcf::combined_get_app_info(app:'Atlassian JIRA');\n\nconstraints = [\n { 'fixed_version' : '7.13.18' },\n { 'min_version' : '8.0.0', 'fixed_version' : '8.5.9' },\n { 'min_version' : '8.6.0', 'fixed_version' : '8.12.1', 'fixed_display' : '8.12.1 / 8.13.0 / 8.14.0'}\n];\n\nvcf::check_version_and_report(\n app_info:app_info,\n constraints:constraints,\n severity:SECURITY_WARNING\n);\n", "cvss": {"score": 4, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N"}}], "atlassian": [{"lastseen": "2021-07-28T14:40:47", "description": "Affected versions of Jira Server & Data Center allow a remote attacker with limited (non-admin) privileges to view a Jira instance's Support Entitlement Number (SEN) via an Information Disclosure vulnerability in the HTTP Response headers.\r\n\r\n*Affected versions:*\r\n * version < 7.13.18\r\n * 8.0.0 \u2264 version < 8.5.9\r\n * 8.6.0 \u2264 version < 8.12.1\r\n\r\n*Fixed versions:*\r\n * 7.13.18\r\n * 8.5.9\r\n * 8.12.1\r\n * 8.13.0\r\n * 8.14.0", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 1.4}, "published": "2020-10-05T20:20:56", "type": "atlassian", "title": "SEN disclosure via HTTP Response headers - CVE-2020-14183", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.0, "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-14183"], "modified": "2021-03-08T15:34:03", "id": "ATLASSIAN:JRASERVER-71646", "href": "https://jira.atlassian.com/browse/JRASERVER-71646", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N"}}], "cve": [{"lastseen": "2022-03-23T13:04:41", "description": "Affected versions of Jira Server & Data Center allow a remote attacker with limited (non-admin) privileges to view a Jira instance's Support Entitlement Number (SEN) via an Information Disclosure vulnerability in the HTTP Response headers. The affected versions are before version 7.13.18, from version 8.0.0 before 8.5.9, and from version 8.6.0 before 8.12.1.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 4.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2020-10-06T23:15:00", "type": "cve", "title": "CVE-2020-14183", "cwe": ["CWE-200"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.0, "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-14183"], "modified": "2020-10-19T13:51:00", "cpe": [], "id": "CVE-2020-14183", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-14183", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N"}, "cpe23": []}]}
SEN disclosure via HTTP Response headers - CVE-2020-14183
