CVE-2020-36232

The MessageBundleWhiteList class of atlassian-gadgets before version 4.2.37, from version 4.3.0 before 4.3.14, from version 4.3.2.0 before 4.3.2.4, from version 4.4.0 before 4.4.12, and from version 5.0.0 before 5.0.1 allowed unexpected DNS lookups and requests to arbitrary services as it incorrectly obtained application base url information from the executing http request which could be attacker controlled.
References
Link Resource
https://jira.atlassian.com/browse/JRASERVER-72025 Issue Tracking Patch Vendor Advisory
Configurations

Configuration 1 (hide)

AND
OR cpe:2.3:a:atlassian:atlassian-gadgets:*:*:*:*:*:atlassian:*:*
cpe:2.3:a:atlassian:atlassian-gadgets:*:*:*:*:*:atlassian:*:*
cpe:2.3:a:atlassian:atlassian-gadgets:*:*:*:*:*:atlassian:*:*
cpe:2.3:a:atlassian:atlassian-gadgets:*:*:*:*:*:atlassian:*:*
cpe:2.3:a:atlassian:atlassian-gadgets:*:*:*:*:*:atlassian:*:*
OR cpe:2.3:a:atlassian:data_center:*:*:*:*:*:*:*:*
cpe:2.3:a:atlassian:data_center:*:*:*:*:*:*:*:*
cpe:2.3:a:atlassian:jira_data_center:8.15.0:*:*:*:*:*:*:*
cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*
cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*
cpe:2.3:a:atlassian:jira_server:8.15.0:*:*:*:*:*:*:*

History

30 Mar 2022, 13:29

Type Values Removed Values Added
First Time Atlassian jira Data Center
CPE cpe:2.3:a:atlassian:data_center:8.15.0:*:*:*:*:*:*:* cpe:2.3:a:atlassian:jira_data_center:8.15.0:*:*:*:*:*:*:*

25 Mar 2022, 18:14

Type Values Removed Values Added
CPE cpe:2.3:a:atlassian:jira:*:*:*:*:*:*:*:*
cpe:2.3:a:atlassian:jira:8.15.0:*:*:*:*:*:*:*
cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*
cpe:2.3:a:atlassian:jira_server:8.15.0:*:*:*:*:*:*:*
First Time Atlassian jira Server

02 Mar 2021, 20:44

Type Values Removed Values Added
CWE CWE-918
CVSS v2 : unknown
v3 : unknown
v2 : 4.0
v3 : 5.0
CPE cpe:2.3:a:atlassian:data_center:*:*:*:*:*:*:*:*
cpe:2.3:a:atlassian:data_center:8.15.0:*:*:*:*:*:*:*
cpe:2.3:a:atlassian:jira:*:*:*:*:*:*:*:*
cpe:2.3:a:atlassian:jira:8.15.0:*:*:*:*:*:*:*
cpe:2.3:a:atlassian:atlassian-gadgets:*:*:*:*:*:atlassian:*:*
References (MISC) https://jira.atlassian.com/browse/JRASERVER-72025 - (MISC) https://jira.atlassian.com/browse/JRASERVER-72025 - Issue Tracking, Patch, Vendor Advisory

22 Feb 2021, 21:15

Type Values Removed Values Added
New CVE

Information

Published : 2021-02-22 21:15

Updated : 2023-12-10 13:41


NVD link : CVE-2020-36232

Mitre link : CVE-2020-36232

CVE.ORG link : CVE-2020-36232


JSON object : View

Products Affected

atlassian

  • jira_data_center
  • jira_server
  • data_center
  • atlassian-gadgets
CWE
CWE-918

Server-Side Request Forgery (SSRF)