cbcvebase.
CVE-2020-36289
published 2021-05-12

CVE-2020-36289: Affected versions of Atlassian Jira Server and Data Center allow an unauthenticated user to enumerate users via an Information Disclosure vulnerability in the…

PriorityP263medium5.3CVSS 3.1
AVNACLPRNUINSUCLINAN
EXPLOIT
EPSS
99.21%
99.9th percentile
Affected versions of Atlassian Jira Server and Data Center allow an unauthenticated user to enumerate users via an Information Disclosure vulnerability in the QueryComponentRendererValue!Default.jspa endpoint. The affected versions are before version 8.5.13, from version 8.6.0 before 8.13.5, and from version 8.14.0 before 8.15.1.

Affected

16 ranges
VendorProductVersion rangeFixed in
atlassiandata_center< 8.5.138.5.13
atlassianjira< 8.5.138.5.13
atlassianjira_data_center>= 8.14.0 < unspecifiedunspecified
atlassianjira_data_center>= 8.14.0 < 8.15.18.15.1
atlassianjira_data_center>= 8.6.0 < unspecifiedunspecified
atlassianjira_data_center>= 8.6.0 < 8.13.58.13.5
atlassianjira_data_center>= unspecified < 8.5.138.5.13
atlassianjira_data_center>= unspecified < 8.13.58.13.5
atlassianjira_data_center>= unspecified < 8.15.18.15.1
atlassianjira_server>= 8.14.0 < unspecifiedunspecified
atlassianjira_server>= 8.14.0 < 8.15.18.15.1
atlassianjira_server>= 8.6.0 < unspecifiedunspecified
atlassianjira_server>= 8.6.0 < 8.13.58.13.5
atlassianjira_server>= unspecified < 8.5.138.5.13
atlassianjira_server>= unspecified < 8.13.58.13.5
atlassianjira_server>= unspecified < 8.15.18.15.1

Detection & IOCsextracted from sources · hover to see the quote

url/secure/QueryComponentRendererValue!Default.jspa?assignee=user:admin
url/jira/secure/QueryComponentRendererValue!Default.jspa?assignee=user:admin
path/secure/QueryComponentRendererValue!Default.jspa
snort
alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Atlassian Jira Unauth User Enumeration Attempt (CVE-2020-36289)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/secure/QueryComponentRendererValue!Default.jspa?assignee=user|3a|admin"; fast_pattern; endswith; reference:url,jira.atlassian.com/browse/JRASERVER-71559; reference:cve,2020-36289; reference:url,twitter.com/ptswarm/status/1402644004781633540/photo/1; classtype:attempted-admin; sid:2033136; rev:3; metadata:attack_target Client_Endpoint, created_at 2021_06_11, cve CVE_2020_36289, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_03_07, reviewed_at 2024_05_06;)
  • Shodan queries for exposed Jira instances that may be vulnerable: search for http.component:"Atlassian Jira" or http.component:"atlassian jira".
  • The Snort/ET rule matches on the URI pattern /secure/QueryComponentRendererValue!Default.jspa?assignee=user|3a|admin (URL-encoded colon) in an established GET request to the server, with high confidence and Major severity.
  • Two URL path variants should be monitored: the root-relative /secure/... path and the /jira/secure/... path, as both are tested by exploit tooling.
  • ·Vulnerability only affects Jira Server and Data Center; versions before 8.5.13, 8.6.0–8.13.4, and 8.14.0–8.15.0 are affected. Patched versions (8.5.13+, 8.13.5+, 8.15.1+) are not vulnerable.
  • ·The Nuclei template uses stop-at-first-match, meaning only one of the two URL variants will be tested per scan run; ensure both paths are covered in custom detection logic.
  • ·The ET Snort rule (sid:2033136) targets the perimeter and internal deployment zones, indicating it is intended for both edge and internal network monitoring.

CVSS provenance

nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.