CVE-2019-20407

The ConfigureBambooRelease resource in Jira Software and Jira Software Data Center before version 8.6.1 allows authenticated remote attackers to view release version information in projects that they do not have access to through an missing authorisation check.

CVSS v3 4.3 MEDIUM
CVSS v2.0 4.0 MEDIUM

4.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

4.0^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:L/Au:S/C:P/I:N/A:N

Exploitability : 8.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication SINGLE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
https://jira.atlassian.com/browse/JRASERVER-70599	Issue Tracking Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:atlassian:jira_data_center::::::::
	cpe:2.3:a:atlassian:jira_data_center::::::::
	cpe:2.3:a:atlassian:jira_data_center::::::::
	cpe:2.3:a:atlassian:jira_server::::::::
	cpe:2.3:a:atlassian:jira_server::::::::
	cpe:2.3:a:atlassian:jira_server::::::::

History

30 Mar 2022, 13:21

Type	Values Removed	Values Added
CPE	cpe:2.3:a:atlassian:jira_software_data_center::::::::	cpe:2.3:a:atlassian:jira_data_center::::::::
First Time		Atlassian jira Data Center

25 Mar 2022, 18:14

Type	Values Removed	Values Added
CPE	cpe:2.3:a:atlassian:jira::::::::

25 Mar 2022, 17:18

Type	Values Removed	Values Added
CPE		cpe:2.3:a:atlassian:jira_server::::::::
First Time		Atlassian jira Server

Information

Published : 2020-03-17 03:15

Updated : 2023-12-10 13:27

NVD link : CVE-2019-20407

Mitre link : CVE-2019-20407

CVE.ORG link : CVE-2019-20407

JSON object : View

Products Affected

atlassian

jira_server
jira_data_center

CWE

CWE-862

Missing Authorization

{"id": "CVE-2019-20407", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "authentication": "SINGLE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 2.8}]}, "published": "2020-03-17T03:15:11.043", "references": [{"url": "https://jira.atlassian.com/browse/JRASERVER-70599", "tags": ["Issue Tracking", "Vendor Advisory"], "source": "security@atlassian.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-862"}]}], "descriptions": [{"lang": "en", "value": "The ConfigureBambooRelease resource in Jira Software and Jira Software Data Center before version 8.6.1 allows authenticated remote attackers to view release version information in projects that they do not have access to through an missing authorisation check."}, {"lang": "es", "value": "Se ha identificado una vulnerabilidad en el servidor de aplicaciones SPPA-T3000 (todas las versiones anteriores a la versi\u00f3n Service Pack R8.2 SP2). Un atacante con acceso de red al servidor de aplicaciones podr\u00eda obtener acceso a registros y archivos de configuraci\u00f3n enviando paquetes espec\u00edficamente dise\u00f1ados a 80 / tcp. Tenga en cuenta que un atacante debe tener acceso de red al Servidor de aplicaciones para aprovechar esta vulnerabilidad. En el momento de la publicaci\u00f3n del aviso no se conoc\u00eda la explotaci\u00f3n p\u00fablica de esta vulnerabilidad de seguridad."}], "lastModified": "2022-03-30T13:21:19.000", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:atlassian:jira_data_center:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D575CB76-2CB1-469E-A422-BFB78E9E98D3", "versionEndExcluding": "8.5.3", "versionStartIncluding": "8.4.1"}, {"criteria": "cpe:2.3:a:atlassian:jira_data_center:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "74CD8906-D8ED-4C08-BBB1-3D5F1E6D10E0", "versionEndExcluding": "8.6.1", "versionStartIncluding": "8.5.4"}, {"criteria": "cpe:2.3:a:atlassian:jira_data_center:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F6831C36-D5E9-4CC1-95DA-46A30CE964BA", "versionEndExcluding": "8.7.0", "versionStartExcluding": "8.6.2"}, {"criteria": "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "541F2D87-10C7-4CA3-A193-466088F14EB9", "versionEndExcluding": "8.5.3", "versionStartIncluding": "8.4.1"}, {"criteria": "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "CC040D5A-4C98-4BBE-BF64-56E6F88BEDE2", "versionEndExcluding": "8.6.1", "versionStartIncluding": "8.5.4"}, {"criteria": "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "1884A441-8487-40FF-AEE3-E025670C0723", "versionEndExcluding": "8.7.0", "versionStartIncluding": "8.6.2"}], "operator": "OR"}]}], "sourceIdentifier": "security@atlassian.com"}