CVE-2020-36289

Summary

Affected versions of Atlassian Jira Server and Data Center allow an unauthenticated user to enumerate users via an Information Disclosure vulnerability in the QueryComponentRendererValue!Default.jspa endpoint. The affected versions are before version 8.5.13, from version 8.6.0 before 8.13.5, and from version 8.14.0 before 8.15.1.

Affected Software

VendorProductVersion RangeStatus
AtlassianJira Serverunspecified < 8.5.13affected
AtlassianJira Server8.6.0 < unspecifiedaffected
AtlassianJira Serverunspecified < 8.13.5affected
AtlassianJira Server8.14.0 < unspecifiedaffected
AtlassianJira Serverunspecified < 8.15.1affected
AtlassianJira Data Centerunspecified < 8.5.13affected
AtlassianJira Data Center8.6.0 < unspecifiedaffected
AtlassianJira Data Centerunspecified < 8.13.5affected
AtlassianJira Data Center8.14.0 < unspecifiedaffected
AtlassianJira Data Centerunspecified < 8.15.1affected

Weaknesses

  • Information Disclosure

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: partial

References