Public exploit available

Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2020-36289

CWE-863 — Incorrect Authorization CWE-200 — Information Exposure5 documents5 sources

Severity

5.3MEDIUM

EPSS

92.0%

top 0.30%

CISA KEV

Not in KEV

Exploit

PoC available

Public exploit / PoC exists

Affected products

Atlassian Jira Data Center Atlassian Jira Server Atlassian Data Center +1 more

Timeline

PublishedMay 12

Latest updateMay 24

Description

Affected versions of Atlassian Jira Server and Data Center allow an unauthenticated user to enumerate users via an Information Disclosure vulnerability in the QueryComponentRendererValue!Default.jspa endpoint. The affected versions are before version 8.5.13, from version 8.6.0 before 8.13.5, and from version 8.14.0 before 8.15.1.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages6 packages

▶CVEListV5atlassian/jira_data_centerunspecified — 8.5.13+4

▶NVDatlassian/jira_data_center8.6.0 — 8.13.5+1

▶CVEListV5atlassian/jira_serverunspecified — 8.5.13+4

▶NVDatlassian/data_center< 8.5.13

▶NVDatlassian/jira_server8.6.0 — 8.13.5+1

🔴Vulnerability Details

GHSA

GHSA-jxv7-5f9p-6rg2: Affected versions of Atlassian Jira Server and Data Center allow an unauthenticated user to enumerate users via an Information Disclosure vulnerabilit↗2022-05-24

▶

CVEList

CVE-2020-36289: Affected versions of Atlassian Jira Server and Data Center allow an unauthenticated user to enumerate users via an Information Disclosure vulnerabilit↗2021-05-12

▶

💥Exploits & PoCs

Nuclei

Jira Server and Data Center - Information Disclosure

▶

🔍Detection Rules

Suricata

ET EXPLOIT Atlassian Jira Unauth User Enumeration Attempt (CVE-2020-36289)↗2021-06-11

▶