Lucene search

HistoryApr 08, 2021 - 12:00 a.m.

Atlassian JIRA < 8.5.13 / 8.6.x < 8.13.5 / 8.14.x < 8.15.1 Multiple Vulnerablities

2021-04-0800:00:00

www.tenable.com

atlassian

jira

vulnerabilities

remote attackers

permissions check

username validation

cve-2020-36238

group existence

cross-site request forgery (csrf)

cve-2021-26071

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

AI Score

4.8

Confidence

High

EPSS

0.001

Percentile

42.2%

JSON

According to its self-reported version number, the instance of Atlassian JIRA hosted on the remote web server is affected by multiple vulnerabilities.

The /rest/api/1.0/render resource in Jira Server and Data Center before version 8.5.13, from version 8.6.0 before version 8.13.5, and from version 8.14.0 before version 8.15.1 allows remote anonymous attackers to determine if a username is valid or not via a missing permissions check. (CVE-2020-36238)
The membersOf JQL search function in Jira Server and Data Center before version 8.5.13, from version 8.6.0 before version 8.13.5, and from version 8.14.0 before version 8.15.1 allows remote anonymous attackers to determine if a group exists & members of groups if they are assigned to publicly visible issue field. (CVE-2020-36286)
The SetFeatureEnabled.jspa resource in Jira Server and Data Center before version 8.5.13, from version 8.6.0 before version 8.13.5, and from version 8.14.0 before version 8.15.1 allows remote anonymous attackers to enable and disable Jira Software configuration via a cross-site request forgery (CSRF) vulnerability. (CVE-2021-26071)

Note that Nessus has not tested for this issue but has instead relied only on the application’s self-reported version

#%NASL_MIN_LEVEL 70300
##
# (C) Tenable Network Security, Inc.
##

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(148391);
  script_version("1.8");
  script_set_attribute(attribute:"plugin_modification_date", value:"2024/06/05");

  script_cve_id("CVE-2020-36238", "CVE-2020-36286", "CVE-2021-26071");
  script_xref(name:"IAVA", value:"2021-A-0156-S");

  script_name(english:"Atlassian JIRA < 8.5.13 / 8.6.x < 8.13.5 / 8.14.x < 8.15.1 Multiple Vulnerablities");

  script_set_attribute(attribute:"synopsis", value:
"The remote web server hosts a web application that is affected by multiple vulnerabilities.");
  script_set_attribute(attribute:"description", value:
"According to its self-reported version number, the instance of Atlassian JIRA hosted on the remote web server is
affected by multiple vulnerabilities. 

  - The /rest/api/1.0/render resource in Jira Server and Data Center before version 8.5.13, from version
    8.6.0 before version 8.13.5, and from version 8.14.0 before version 8.15.1 allows remote anonymous
    attackers to determine if a username is valid or not via a missing permissions check. (CVE-2020-36238)

  - The membersOf JQL search function in Jira Server and Data Center before version 8.5.13, from version
    8.6.0 before version 8.13.5, and from version 8.14.0 before version 8.15.1 allows remote anonymous
    attackers to determine if a group exists & members of groups if they are assigned to publicly visible
    issue field. (CVE-2020-36286)
  
  - The SetFeatureEnabled.jspa resource in Jira Server and Data Center before version 8.5.13, from version
    8.6.0 before version 8.13.5, and from version 8.14.0 before version 8.15.1 allows remote anonymous
    attackers to enable and disable Jira Software configuration via a cross-site request forgery (CSRF)
    vulnerability. (CVE-2021-26071)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version");
  script_set_attribute(attribute:"see_also", value:"https://jira.atlassian.com/browse/JRASERVER-72272");
  script_set_attribute(attribute:"see_also", value:"https://jira.atlassian.com/browse/JRASERVER-72249");
  script_set_attribute(attribute:"see_also", value:"https://jira.atlassian.com/browse/JRASERVER-72233");
  script_set_attribute(attribute:"solution", value:
"Upgrade to Atlassian JIRA version 8.5.13 / 8.13.5 / 8.15.1 or later.");
  script_set_attribute(attribute:"agent", value:"all");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2020-36286");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2021/03/23");
  script_set_attribute(attribute:"patch_publication_date", value:"2021/03/23");
  script_set_attribute(attribute:"plugin_publication_date", value:"2021/04/08");

  script_set_attribute(attribute:"plugin_type", value:"combined");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:atlassian:jira");
  script_set_attribute(attribute:"stig_severity", value:"II");
  script_set_attribute(attribute:"thorough_tests", value:"true");
  script_set_attribute(attribute:"enable_cgi_scanning", value:"true");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"CGI abuses");

  script_copyright(english:"This script is Copyright (C) 2021-2024 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("jira_detect.nasl", "atlassian_jira_win_installed.nbin", "atlassian_jira_nix_installed.nbin");
  script_require_keys("installed_sw/Atlassian JIRA");

  exit(0);
}

include('vcf.inc');

app_info = vcf::combined_get_app_info(app:'Atlassian JIRA');

constraints = [
  {'fixed_version':'8.5.13'},
  {'min_version':'8.6.0', 'fixed_version':'8.13.5'},
  {'min_version':'8.14.0', 'fixed_version':'8.15.1'}
];

vcf::check_version_and_report(
  app_info:app_info,
  constraints:constraints,
  severity:SECURITY_WARNING,
  flags:{xsrf:TRUE}
);

References

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36238

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36286

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26071

jira.atlassian.com/browse/JRASERVER-72233

jira.atlassian.com/browse/JRASERVER-72249

jira.atlassian.com/browse/JRASERVER-72272

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

AI Score

4.8

Confidence

High

EPSS

0.001

Percentile

42.2%

JSON

Related for JIRA_8_15_1.NASL