Lucene search

Security-metrics-botJRASERVER-77713

HistoryMay 14, 2024 - 11:15 p.m.

Information Disclosure in Jira Core Data Center

2024-05-1423:15:48

security-metrics-bot

jira.atlassian.com

jira core

data center

information disclosure

high severity

cvss score 7.4

confidentiality impact

integrity impact

availability impact

atlassian

upgrade

fixed versions

release notes

download center

vulnerability disclosure

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

6.3 Medium

AI Score

Confidence

High

0.022 Low

EPSS

Percentile

89.4%

JSON

This High severity Information Disclosure vulnerability was introduced in versions 9.4.0, 9.12.0, and 9.15.0 of Jira Core Data Center.

This Information Disclosure vulnerability, with a CVSS Score of 7.4, allows an unauthenticated attacker to view sensitive information via an Information Disclosure vulnerability which has high impact to confidentiality, no impact to integrity, no impact to availability, and requires user interaction.

Atlassian recommends that Jira Core customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions:

Data Center
||Affected versions||Fixed versions||
|from 9.15.0 to 9.15.2|9.16.0|
|from 9.14.0 to 9.14.1|9.16.0|
|from 9.13.0 to 9.13.1|9.16.0|
|from 9.12.0 to 9.12.7 LTS|9.16.0 or 9.12.8 LTS recommended|
|from 9.11.0 to 9.11.3|9.16.0 or 9.12.8 LTS recommended|
|from 9.10.0 to 9.10.2|9.16.0 or 9.12.8 LTS recommended|
|from 9.9.0 to 9.9.2|9.16.0 or 9.12.8 LTS recommended|
|from 9.8.0 to 9.8.2|9.16.0 or 9.12.8 LTS recommended|
|from 9.7.0 to 9.7.2|9.16.0 or 9.12.8 LTS recommended|
|from 9.6.0 to 9.6.2|9.16.0 or 9.12.8 LTS recommended|
|from 9.5.0 to 9.5.1|9.16.0 or 9.12.8 LTS recommended|
|from 9.4.0 to 9.4.20 LTS|9.16.0 or 9.4.21 LTS or 9.12.8 LTS recommended|
|from 9.3.0 to 9.3.3|9.16.0 or 9.4.21 LTS or 9.12.8 LTS recommended|
|from 9.2.0 to 9.2.1|9.16.0 or 9.4.21 LTS or 9.12.8 LTS recommended|
|from 9.1.0 to 9.1.1|9.16.0 or 9.4.21 LTS or 9.12.8 LTS recommended|
|9.0.0|9.16.0 or 9.4.21 LTS or 9.12.8 LTS recommended|
|Any earlier versions|9.16.0 or 9.4.21 LTS or 9.12.8 LTS recommended|

Server
||Affected versions||Fixed versions||
|from 9.12.0 to 9.12.7 LTS|9.12.8 LTS recommended|
|from 9.11.0 to 9.11.3|9.12.8 LTS recommended|
|from 9.10.0 to 9.10.2|9.12.8 LTS recommended|
|from 9.9.0 to 9.9.2|9.12.8 LTS recommended|
|from 9.8.0 to 9.8.2|9.12.8 LTS recommended|
|from 9.7.0 to 9.7.2|9.12.8 LTS recommended|
|from 9.6.0 to 9.6.2|9.12.8 LTS recommended|
|from 9.5.0 to 9.5.1|9.12.8 LTS recommended|
|from 9.4.0 to 9.4.20 LTS|9.4.21 LTS or 9.12.8 LTS recommended|
|from 9.3.0 to 9.3.3|9.4.21 LTS or 9.12.8 LTS recommended|
|from 9.2.0 to 9.2.1|9.4.21 LTS or 9.12.8 LTS recommended|
|from 9.1.0 to 9.1.1|9.4.21 LTS or 9.12.8 LTS recommended|
|9.0.0|9.4.21 LTS or 9.12.8 LTS recommended|
|Any earlier versions|9.4.21 LTS or 9.12.8 LTS recommended|

See the [release notes|https://www.atlassian.com/software/jira/core/download]. You can download the latest version of Jira Core Data Center from the download center.

This vulnerability was found internally.

Affected configurations

Vulners

Node

atlassianjira_data_centerRange≤9.4.0

atlassianjira_data_centerRange≤9.12.0

atlassianjira_data_centerRange≤9.15.0

atlassianjira_data_centerRange<9.16.0

atlassianjira_data_centerRange<9.4.21

atlassianjira_data_centerRange<9.12.8

CPENameOperatorVersion
jira data centerle9.4.0
jira data centerle9.12.0
jira data centerle9.15.0
jira data centerlt9.16.0
jira data centerlt9.4.21
jira data centerlt9.12.8