CVE-2020-36289
published 2021-05-12CVE-2020-36289: Affected versions of Atlassian Jira Server and Data Center allow an unauthenticated user to enumerate users via an Information Disclosure vulnerability in the…
PriorityP263medium5.3CVSS 3.1
AVNACLPRNUINSUCLINAN
EXPLOIT
EPSS
99.21%
99.9th percentile
Affected versions of Atlassian Jira Server and Data Center allow an unauthenticated user to enumerate users via an Information Disclosure vulnerability in the QueryComponentRendererValue!Default.jspa endpoint. The affected versions are before version 8.5.13, from version 8.6.0 before 8.13.5, and from version 8.14.0 before 8.15.1.
Affected
16 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| atlassian | data_center | < 8.5.13 | 8.5.13 |
| atlassian | jira | < 8.5.13 | 8.5.13 |
| atlassian | jira_data_center | >= 8.14.0 < unspecified | unspecified |
| atlassian | jira_data_center | >= 8.14.0 < 8.15.1 | 8.15.1 |
| atlassian | jira_data_center | >= 8.6.0 < unspecified | unspecified |
| atlassian | jira_data_center | >= 8.6.0 < 8.13.5 | 8.13.5 |
| atlassian | jira_data_center | >= unspecified < 8.5.13 | 8.5.13 |
| atlassian | jira_data_center | >= unspecified < 8.13.5 | 8.13.5 |
| atlassian | jira_data_center | >= unspecified < 8.15.1 | 8.15.1 |
| atlassian | jira_server | >= 8.14.0 < unspecified | unspecified |
| atlassian | jira_server | >= 8.14.0 < 8.15.1 | 8.15.1 |
| atlassian | jira_server | >= 8.6.0 < unspecified | unspecified |
| atlassian | jira_server | >= 8.6.0 < 8.13.5 | 8.13.5 |
| atlassian | jira_server | >= unspecified < 8.5.13 | 8.5.13 |
| atlassian | jira_server | >= unspecified < 8.13.5 | 8.13.5 |
| atlassian | jira_server | >= unspecified < 8.15.1 | 8.15.1 |
Detection & IOCsextracted from sources · hover to see the quote
path/secure/QueryComponentRendererValue!Default.jspa
snort
alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Atlassian Jira Unauth User Enumeration Attempt (CVE-2020-36289)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/secure/QueryComponentRendererValue!Default.jspa?assignee=user|3a|admin"; fast_pattern; endswith; reference:url,jira.atlassian.com/browse/JRASERVER-71559; reference:cve,2020-36289; reference:url,twitter.com/ptswarm/status/1402644004781633540/photo/1; classtype:attempted-admin; sid:2033136; rev:3; metadata:attack_target Client_Endpoint, created_at 2021_06_11, cve CVE_2020_36289, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_03_07, reviewed_at 2024_05_06;)
- →Shodan queries for exposed Jira instances that may be vulnerable: search for http.component:"Atlassian Jira" or http.component:"atlassian jira". ↗
- →The Snort/ET rule matches on the URI pattern /secure/QueryComponentRendererValue!Default.jspa?assignee=user|3a|admin (URL-encoded colon) in an established GET request to the server, with high confidence and Major severity.
- →Two URL path variants should be monitored: the root-relative /secure/... path and the /jira/secure/... path, as both are tested by exploit tooling.
- ·Vulnerability only affects Jira Server and Data Center; versions before 8.5.13, 8.6.0–8.13.4, and 8.14.0–8.15.0 are affected. Patched versions (8.5.13+, 8.13.5+, 8.15.1+) are not vulnerable. ↗
- ·The Nuclei template uses stop-at-first-match, meaning only one of the two URL variants will be tested per scan run; ensure both paths are covered in custom detection logic.
- ·The ET Snort rule (sid:2033136) targets the perimeter and internal deployment zones, indicating it is intended for both edge and internal network monitoring.
CVSS provenance
nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Suricata
ET EXPLOIT Atlassian Jira Unauth User Enumeration Attempt (CVE-2020-36289)
suricata·2021-06-11·CVSS 5.3
CVE-2020-36289 [MEDIUM] ET EXPLOIT Atlassian Jira Unauth User Enumeration Attempt (CVE-2020-36289)
ET EXPLOIT Atlassian Jira Unauth User Enumeration Attempt (CVE-2020-36289)
Rule: alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Atlassian Jira Unauth User Enumeration Attempt (CVE-2020-36289)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/secure/QueryComponentRendererValue!Default.jspa?assignee=user|3a|admin"; fast_pattern; endswith; reference:url,jira.atlassian.com/browse/JRASERVER-71559; reference:cve,2020-36289; reference:url,twitter.com/ptswarm/status/1402644004781633540/photo/1; classtype:attempted-admin; sid:2033136; rev:3; metadata:attack_target Client_Endpoint, created_at 2021_06_11, cve CVE_2020_36289, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at
Nuclei
Jira Server and Data Center - Information Disclosure
nuclei·CVSS 5.3
CVE-2020-36289 [MEDIUM] Jira Server and Data Center - Information Disclosure
Jira Server and Data Center - Information Disclosure
Jira Server and Data Center is susceptible to information disclosure. An attacker can enumerate users via the QueryComponentRendererValue!Default.jspa endpoint and thus potentially access sensitive information, modify data, and/or execute unauthorized operations, Affected versions are before version 8.5.13, from version 8.6.0 before 8.13.5, and from version 8.14.0 before 8.15.1.
Template:
id: CVE-2020-36289
info:
name: Jira Server and Data Center - Information Disclosure
author: dhiyaneshDk
severity: medium
description: Jira Server and Data Center is susceptible to information disclosure. An attacker can enumerate users via the QueryComponentRendererValue!Default.jspa endpoint and thus potentially access sensitive information, modify
Recorded Future
Analyze Recent Atlassian Vulnerabilities and Keep Your Infrastructure Protected
blogs_recorded_future·CVSS 9.6
[CRITICAL] Analyze Recent Atlassian Vulnerabilities and Keep Your Infrastructure Protected
## Analyze Recent Atlassian Vulnerabilities and Keep Your Infrastructure Protected
For years, software solutions built by Atlassian have found their way to nearly every organization's software stack. Tools such as JIRA, Confluence, Bamboo, and BitBucket are often seen playing a crucial role in various departments across enterprises.
From managing projects or handling organization-wide documentation, to hosting the very code of a product being developed by the organization, the constant reliance upon and amount of historical data held within these applications have turned them into a lucrative target for attackers, expanding the attack surface in the process.
## Historical Atlassian Vulnerabilities
Traditionally, vulnerabilities within the Atlassian software stack have originated from d
Recorded Future
Analyze Recent Atlassian Vulnerabilities and Keep Your Infrastructure Protected
blogs_recorded_future·CVSS 9.6
[CRITICAL] Analyze Recent Atlassian Vulnerabilities and Keep Your Infrastructure Protected
# Analyze Recent Atlassian Vulnerabilities and Keep Your Infrastructure Protected
For years, software solutions built by Atlassian have found their way to nearly every organization's software stack. Tools such as JIRA, Confluence, Bamboo, and BitBucket are often seen playing a crucial role in various departments across enterprises.
From managing projects or handling organization-wide documentation, to hosting the very code of a product being developed by the organization, the constant reliance upon and amount of historical data held within these applications have turned them into a lucrative target for attackers, expanding the attack surface in the process.
## Historical Atlassian Vulnerabilities
Traditionally, vulnerabilities within the Atlassian software stack have originated from di
Greynoiseio
Malicious Tag Roundup (Jun 21-Jul 16, 2021)
blogs_greynoiseio·CVSS 5.3
[MEDIUM] Malicious Tag Roundup (Jun 21-Jul 16, 2021)
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
2021-05-12
Published