U.S. Dept Of Defense: Information disclosure at '████████' --- CVE-2020-14179

Research conducted on ████████ indicates that the Atlassian Jira Server and Data Center instance allows remote, unauthenticated attackers to view custom field names and custom SLA names via an Information Disclosure vulnerability in the /secure/QueryComponent!Default.jspa endpoint (CVE-2020-14179).

The domain ███ interpreted as in-scope

The domain ████████ is interpreted as in-scope of the DoD VDP, based on the following findings:

1. The acronym "████: <https://www.█████████>.

2. The link to █████████ is included in the navigation menu displayed by a Confluence instance that belongs to the█████ “████████”:

███

[ Note ] If this interpretation is incorrect, I would very much appreciate an opportunity to self-close the report.

---

Test traffic markers

Test traffic included (when possible) the following markers:

• HTTP header: X-Bug-Bounty: ID-aebf31c2dfb9205493c5d0ff65d59480305bdb96a85ace0c41f86c45c80a977b

Test platform

• Chromium v. 92.0.4515.131

• Burp Suite Community Edition Build 9276

---

References:

1. CVE-2020-14179

2. JRASERVER-71536

3. HackerOne report #1061204

4. HackerOne report #988550

5. HackerOne report #1003980

6. HackerOne report #1050454

Impact

• A remote, unauthenticated and unauthorised attacker can access custom field names and custom SLA names.

• The attacker can make a jql query using the custom SLA fields disclosed by the endpoint.

System Host(s)

████████

Affected Product(s) and Version(s)

Atlassian Jira Server and Data Center

CVE Numbers

CVE-2020-14179

Steps to Reproduce

In a browser, visit <https://█████/secure/QueryComponent!Default.jspa&gt;

████████

Suggested Mitigation/Remediation Actions

Update the Jira instance to a version that is not vulnerable to CVE-2020-14179.