Lucene search

[email protected]NVD:CVE-2020-36287

HistoryApr 09, 2021 - 2:15 a.m.

CVE-2020-36287

2021-04-0902:15:12

CWE-862

CWE-863

[email protected]

web.nvd.nist.gov

atlassian jira server

jira data center

remote attackers

gadget settings

missing permissions check

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

EPSS

0.001

Percentile

41.1%

JSON

The dashboard gadgets preference resource of the Atlassian gadgets plugin used in Jira Server and Jira Data Center before version 8.13.5, and from version 8.14.0 before version 8.15.1 allows remote anonymous attackers to obtain gadget related settings via a missing permissions check.

Affected configurations

Nvd

Node

atlassiandata_centerRange<8.13.5

atlassianjiraRange<8.13.5

atlassianjira_data_centerRange8.14.0–8.15.1

atlassianjira_serverRange8.14.0–8.15.1

VendorProductVersionCPE
atlassiandata_center*cpe:2.3:a:atlassian:data_center:*:*:*:*:*:*:*:*
atlassianjira*cpe:2.3:a:atlassian:jira:*:*:*:*:*:*:*:*
atlassianjira_data_center*cpe:2.3:a:atlassian:jira_data_center:*:*:*:*:*:*:*:*
atlassianjira_server*cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
atlassian	data_center	*	cpe:2.3:a:atlassian:data_center::::::::
atlassian	jira	*	cpe:2.3:a:atlassian:jira::::::::
atlassian	jira_data_center	*	cpe:2.3:a:atlassian:jira_data_center::::::::
atlassian	jira_server	*	cpe:2.3:a:atlassian:jira_server::::::::