PT-2021-11969 · Atlassian · Atlassian-Gadgets+1

Published

2021-02-22

Updated

2022-03-30

CVE-2020-36232

CVSS v3.1

5.0

Medium

Vector

AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N

Name of the Vulnerable Software and Affected Versions: atlassian-gadgets versions 4.2.37 and earlier atlassian-gadgets versions 4.3.0 through 4.3.13 atlassian-gadgets versions 4.3.2.0 through 4.3.2.3 atlassian-gadgets versions 4.4.0 through 4.4.11 atlassian-gadgets versions 5.0.0

Description: The MessageBundleWhiteList class of atlassian-gadgets incorrectly obtained application base URL information from the executing HTTP request, which could be controlled by an attacker, allowing unexpected DNS lookups and requests to arbitrary services.

Recommendations: For atlassian-gadgets versions 4.2.37 and earlier, update to version 4.2.37 or later. For atlassian-gadgets versions 4.3.0 through 4.3.13, update to version 4.3.14 or later. For atlassian-gadgets versions 4.3.2.0 through 4.3.2.3, update to version 4.3.2.4 or later. For atlassian-gadgets versions 4.4.0 through 4.4.11, update to version 4.4.12 or later. For atlassian-gadgets versions 5.0.0, update to version 5.0.1 or later.

Fix

SSRF

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-918

Related Identifiers

CVE-2020-36232

Affected Products

Jira

Atlassian-Gadgets

PT-2021-11969 · Atlassian · Atlassian-Gadgets+1

CVE-2020-36232

Weakness Enumeration

Related Identifiers

Affected Products

References · 4