Lucene search
F956e0e022e9ATLASSIAN:JRASERVER-73060HistoryNov 29, 2021 - 3:22 p.m.
Information Disclosure ever after CVE-2020-14179/JRASERVER-71536
2021-11-2915:22:30
f956e0e022e9
jira.atlassian.com
52
0.006 Low
EPSS
Percentile
79.1%
h3. Issue Summary
Unauthorized access to data from the following API even if the public.access.disabled is enabled.
/rest/api/2/projectCategory
/rest/api/2/resolution
/rest/menu/latest/admin
h3. Steps to Reproduce
- Install Jira 8.13.9 with H2 database
- Create a project and some Project categories
- Run the API call âhttp://localhost:48139/j8139/rest/api/2/projectCategoryâ without the username and password.
h3. Expected Results
- Unauthorised access and the data should not be visible.
h3. Actual Results
- Project categories, resolutions, and usernames are listed even if the API is not authenticated
h3. Workaround
Currently, there is no known workaround for this behavior. A workaround will be added here when available
| CPE | Name | Operator | Version |
|---|---|---|---|
| jira server and data center | le | 8.13.9 |
Related
prion
prion
Information disclosure
2020-09-21 01:15:00
hackerone
hackerone
Endless Group: CVE-2020-14179 on https://jira.theendlessweb.com/secure/QueryComponent!Default.jspa leads to information disclosure
2020-10-09 20:40:23
cve
cve
CVE-2020-14179
2020-09-21 01:15:12
nessus
nessus
nuclei
nuclei
cvelist
cvelist
CVE-2020-14179
2020-09-11 00:00:00
atlassian
atlassian
nvd
nvd
CVE-2020-14179
2020-09-21 01:15:12
githubexploit
githubexploit
Exploit for Vulnerability in Atlassian Jira Server
2021-01-08 14:15:24
thn
thn