CVE-2017-18101 — Improper Access Control in Atlassian Jira

CWE-284 — Improper Access Control CWE-862 — Missing Authorization3 documents3 sources

Severity

6.5MEDIUMNVD

EPSS

0.4%

top 40.27%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Atlassian Jira Atlassian Jira Server

Timeline

PublishedApr 10

Latest updateApr 30

Description

Various administrative external system import resources in Atlassian JIRA Server (including JIRA Core) before version 7.6.5, from version 7.7.0 before version 7.7.3, from version 7.8.0 before version 7.8.3 and before version 7.9.0 allow remote attackers to run import operations and to determine if an internal service exists through missing permission checks.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:NExploitability: 3.9 | Impact: 2.5

Affected Packages3 packages

▶NVDatlassian/jira_server7.7.0 — 7.7.3+1

▶CVEListV5atlassian/jiraunspecified — 7.6.5+4

▶NVDatlassian/jira< 7.6.5

🔴Vulnerability Details

GHSA

GHSA-3mvr-qcj7-4jj5: Various administrative external system import resources in Atlassian JIRA Server (including JIRA Core) before version 7↗2022-04-30

▶

CVEList

CVE-2017-18101: Various administrative external system import resources in Atlassian JIRA Server (including JIRA Core) before version 7↗2018-04-10

▶