PT-2021-11994 · Atlassian · Jira+1
Published
2021-04-09
·
Updated
2022-09-20
·
CVE-2020-36287
CVSS v3.1
5.3
Medium
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
Name of the Vulnerable Software and Affected Versions:
Jira Server versions prior to 8.13.5
Jira Server versions 8.14.0 through 8.15.0
Jira Data Center versions prior to 8.13.5
Jira Data Center versions 8.14.0 through 8.15.0
Description:
The issue allows remote anonymous attackers to obtain gadget related settings via a missing permissions check in the dashboard gadgets preference resource of the Atlassian gadgets plugin.
Recommendations:
For Jira Server versions prior to 8.13.5, update to version 8.13.5 or later.
For Jira Server versions 8.14.0 through 8.15.0, update to version 8.15.1 or later.
For Jira Data Center versions prior to 8.13.5, update to version 8.13.5 or later.
For Jira Data Center versions 8.14.0 through 8.15.0, update to version 8.15.1 or later.
Exploit
Fix
Incorrect Authorization
Missing Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Gadgets Plugin
Jira