cve-2020-36238
Vulnerability from cvelistv5
Published
2021-04-01 02:30
Modified
2024-09-17 00:30
Severity
Summary
The /rest/api/1.0/render resource in Jira Server and Data Center before version 8.5.13, from version 8.6.0 before version 8.13.5, and from version 8.14.0 before version 8.15.1 allows remote anonymous attackers to determine if a username is valid or not via a missing permissions check.
References
| Source | URL | Tags |
|---|---|---|
| security@atlassian.com | https://jira.atlassian.com/browse/JRASERVER-72249 | Patch, Vendor Advisory |
Impacted products
| Vendor | Product |
|---|---|
| Atlassian | Jira Server |
| Atlassian | Jira Data Center |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T17:23:09.934Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-72249"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Jira Server",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "8.5.13",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.6.0",
"versionType": "custom"
},
{
"lessThan": "8.13.5",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.14.0",
"versionType": "custom"
},
{
"lessThan": "8.15.1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Jira Data Center",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "8.5.13",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.6.0",
"versionType": "custom"
},
{
"lessThan": "8.13.5",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.14.0",
"versionType": "custom"
},
{
"lessThan": "8.15.1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2021-04-01T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The /rest/api/1.0/render resource in Jira Server and Data Center before version 8.5.13, from version 8.6.0 before version 8.13.5, and from version 8.14.0 before version 8.15.1 allows remote anonymous attackers to determine if a username is valid or not via a missing permissions check."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "Incorrect Authorization (CWE-863)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-04-01T02:30:13",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-72249"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@atlassian.com",
"DATE_PUBLIC": "2021-04-01T00:00:00",
"ID": "CVE-2020-36238",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Jira Server",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "8.5.13"
},
{
"version_affected": "\u003e=",
"version_value": "8.6.0"
},
{
"version_affected": "\u003c",
"version_value": "8.13.5"
},
{
"version_affected": "\u003e=",
"version_value": "8.14.0"
},
{
"version_affected": "\u003c",
"version_value": "8.15.1"
}
]
}
},
{
"product_name": "Jira Data Center",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "8.5.13"
},
{
"version_affected": "\u003e=",
"version_value": "8.6.0"
},
{
"version_affected": "\u003c",
"version_value": "8.13.5"
},
{
"version_affected": "\u003e=",
"version_value": "8.14.0"
},
{
"version_affected": "\u003c",
"version_value": "8.15.1"
}
]
}
}
]
},
"vendor_name": "Atlassian"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The /rest/api/1.0/render resource in Jira Server and Data Center before version 8.5.13, from version 8.6.0 before version 8.13.5, and from version 8.14.0 before version 8.15.1 allows remote anonymous attackers to determine if a username is valid or not via a missing permissions check."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Incorrect Authorization (CWE-863)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jira.atlassian.com/browse/JRASERVER-72249",
"refsource": "MISC",
"url": "https://jira.atlassian.com/browse/JRASERVER-72249"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2020-36238",
"datePublished": "2021-04-01T02:30:14.029329Z",
"dateReserved": "2021-01-27T00:00:00",
"dateUpdated": "2024-09-17T00:30:53.159Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2020-36238\",\"sourceIdentifier\":\"security@atlassian.com\",\"published\":\"2021-04-01T03:15:13.820\",\"lastModified\":\"2022-09-20T19:28:41.483\",\"vulnStatus\":\"Analyzed\",\"descriptions\":[{\"lang\":\"en\",\"value\":\"The /rest/api/1.0/render resource in Jira Server and Data Center before version 8.5.13, from version 8.6.0 before version 8.13.5, and from version 8.14.0 before version 8.15.1 allows remote anonymous attackers to determine if a username is valid or not via a missing permissions check.\"},{\"lang\":\"es\",\"value\":\"El recurso /rest/api/1.0/render en Jira Server y Data Center anterior a versi\u00f3n 8.5.13, desde versi\u00f3n 8.6.0 anterior a versi\u00f3n 8.13.5 y desde versi\u00f3n 8.14.0 anterior a versi\u00f3n 8.15.1, permite a atacantes an\u00f3nimos remotos determinar si un nombre de usuario es v\u00e1lido o no mediante una falta de comprobaci\u00f3n de permisos.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\",\"baseScore\":5.3,\"baseSeverity\":\"MEDIUM\"},\"exploitabilityScore\":3.9,\"impactScore\":1.4}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:N/C:P/I:N/A:N\",\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\",\"baseScore\":5.0},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":10.0,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-862\"}]},{\"source\":\"security@atlassian.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-863\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:atlassian:data_center:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"8.5.13\",\"matchCriteriaId\":\"A455FC63-AF29-4D31-8E11-AA5671D12E06\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:atlassian:jira:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"8.5.13\",\"matchCriteriaId\":\"FA8144D6-FDAF-4B92-BE54-832893AC0A1E\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:atlassian:jira_data_center:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"8.6.0\",\"versionEndExcluding\":\"8.13.5\",\"matchCriteriaId\":\"26055208-F18D-4FF9-A442-7DD62D80F7E7\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:atlassian:jira_data_center:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"8.14.0\",\"versionEndExcluding\":\"8.15.1\",\"matchCriteriaId\":\"9F4C4682-A56A-4BEA-AFD7-6F116FCE8EF9\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"8.6.0\",\"versionEndExcluding\":\"8.13.5\",\"matchCriteriaId\":\"9DF55918-44C7-4DC9-BD66-9FD9BA64A955\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"8.14.0\",\"versionEndExcluding\":\"8.15.1\",\"matchCriteriaId\":\"3C31DC16-F8E3-4261-B539-C251E4BBC584\"}]}]}],\"references\":[{\"url\":\"https://jira.atlassian.com/browse/JRASERVER-72249\",\"source\":\"security@atlassian.com\",\"tags\":[\"Patch\",\"Vendor Advisory\"]}]}}"
}
}
Loading...