SB2020062323 - Multiple vulnerabilities in Atlassian JIRA 

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2020062323

SB2020062323 - Multiple vulnerabilities in Atlassian JIRA

Published: June 23, 2020 Updated: August 8, 2020

Security Bulletin ID SB2020062323
Severity
Medium
Patch available
YES
Number of vulnerabilities 2
Exploitation vector Remote access
Highest impact Denial of service

Breakdown by Severity

Medium 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 2 secuirty vulnerabilities.


1) Input validation error (CVE-ID: CVE-2020-14167)

The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.

The MessageBundleResource resource in Jira Server and Data Center before version 7.13.4, from 8.5.0 before 8.5.5, from 8.8.0 before 8.8.2, and from 8.9.0 before 8.9.1 allows remote attackers to impact the application's availability via an Denial of Service (DoS) vulnerability.


2) Input validation error (CVE-ID: CVE-2020-4028)

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

Versions before 8.9.1, Various resources in Jira responded with a 404 instead of redirecting unauthenticated users to the login page, in some situations this may have allowed unauthorised attackers to determine if certain resources exist or not through an Information Disclosure vulnerability.


Remediation

Install update from vendor's website.

References