CVE-2020-36239

CWE-862Missing AuthorizationCWE-306Missing Authentication3 documents3 sources
Severity
9.8CRITICAL
EPSS
16.2%
top 5.19%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
6
Atlassian Jira Core Data CenterAtlassian Jira Data CenterAtlassian Jira Service Management Data Center+3 more
Timeline
PublishedJul 29
Latest updateMay 24

Description

Jira Data Center, Jira Core Data Center, Jira Software Data Center from version 6.3.0 before 8.5.16, from 8.6.0 before 8.13.8, from 8.14.0 before 8.17.0 and Jira Service Management Data Center from version 2.0.2 before 4.5.16, from version 4.6.0 before 4.13.8, and from version 4.14.0 before 4.17.0 exposed a Ehcache RMI network service which attackers, who can connect to the service, on port 40001 and potentially 40011[0][1], could execute arbitrary code of their choice in Jira through deserializ

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages7 packages

CVEListV5atlassian/jira_service_management_data_center2.0.2unspecified+5
CVEListV5atlassian/jira_core_data_center6.3.0unspecified+5
CVEListV5atlassian/jira_software_data_center6.3.0unspecified+5
CVEListV5atlassian/jira_data_center6.3.0unspecified+5
NVDatlassian/jira_data_center6.3.08.5.16+2

Patches

Patch: confluence.atlassian.comPatch: confluence.atlassian.com

🔴Vulnerability Details

2
GHSA
GHSA-2xhw-jfhh-p475: Jira Data Center, Jira Core Data Center, Jira Software Data Center from version 62022-05-24
CVEList
CVE-2020-36239: Jira Data Center, Jira Core Data Center, Jira Software Data Center from version 62021-07-29
CVE-2020-36239 (CRITICAL CVSS 9.8) | Jira Data Center | cvebase.io