CVE-2020-36232

Summary

The MessageBundleWhiteList class of atlassian-gadgets before version 4.2.37, from version 4.3.0 before 4.3.14, from version 4.3.2.0 before 4.3.2.4, from version 4.4.0 before 4.4.12, and from version 5.0.0 before 5.0.1 allowed unexpected DNS lookups and requests to arbitrary services as it incorrectly obtained application base url information from the executing http request which could be attacker controlled.

Affected Software

VendorProductVersion RangeStatus
AtlassianAtlassian Gadgetsunspecified < 4.2.37affected
AtlassianAtlassian Gadgets4.3.0 < unspecifiedaffected
AtlassianAtlassian Gadgetsunspecified < 4.3.14affected
AtlassianAtlassian Gadgets4.3.2.0 < unspecifiedaffected
AtlassianAtlassian Gadgetsunspecified < 4.3.2.4affected
AtlassianAtlassian Gadgets4.4.0 < unspecifiedaffected
AtlassianAtlassian Gadgetsunspecified < 4.4.12affected
AtlassianAtlassian Gadgets5.0.0affected

Weaknesses

  • Security Misconfiguration

ADP Enrichment

CVE Program Container

Additional References

References