SB2020062914 - Multiple vulnerabilities in Atlassian JIRA 

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2020062914

SB2020062914 - Multiple vulnerabilities in Atlassian JIRA

Published: June 29, 2020 Updated: July 17, 2020

Security Bulletin ID SB2020062914
Severity
Medium
Patch available
YES
Number of vulnerabilities 5
Exploitation vector Remote access
Highest impact Information disclosure

Breakdown by Severity

Medium 80% Low 20%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 5 secuirty vulnerabilities.


1) Cross-site scripting (CVE-ID: CVE-2019-20414)

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data in Issue Navigator Basic Search. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.


2) Information disclosure (CVE-ID: CVE-2019-20410)

The vulnerability allows a remote authenticated user to gain access to sensitive information.

Affected versions of Atlassian Jira Server and Data Center allow remote attackers to view sensitive information via an Information Disclosure vulnerability in the comment restriction feature. The affected versions are before version 7.6.17, from version 7.7.0 before 7.13.9, and from version 8.0.0 before 8.4.2.


3) Cross-site request forgery (CVE-ID: CVE-2019-20411)

The vulnerability allows a remote attacker to perform cross-site request forgery attacks.

The vulnerability exists due to insufficient validation of the HTTP request origin. A remote attacker can trick the victim to visit a specially crafted web page and modify Wallboard settings via a Cross-site request forgery (CSRF) vulnerability. The affected versions are before version 7.13.9, and from version 8.0.0 before 8.4.


4) Improper Authentication (CVE-ID: CVE-2019-20412)

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

The Convert Sub-Task to Issue page in affected versions of Atlassian Jira Server and Data Center allow remote attackers to enumerate the following information via an Improper Authentication vulnerability: Workflow names; Project Key, if it is part of the workflow name; Issue Keys; Issue Types; Status Types. The affected versions are before version 7.13.9, and from version 8.0.0 before 8.4.2.


5) Input validation error (CVE-ID: CVE-2019-20413)

The vulnerability allows remote attackers to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker can impact the application's availability via a Denial of Service (DoS) vulnerability on the UserPickerBrowser.jspa page.


Remediation

Install update from vendor's website.

References