CVE-2019-3399 - OpenCVE

The BrowseProjects.jspa resource in Jira before version 7.13.2, and from version 8.0.0 before version 8.0.2 allows remote attackers to see information for archived projects through a missing authorisation check.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:L/Au:N/C:P/I:N/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Atlassian	Jira Server Jira

Configuration 1 [-]

OR	cpe:2.3:a:atlassian:jira::::::::
	cpe:2.3:a:atlassian:jira_server::::::::

References

Link	Resource
https://jira.atlassian.com/browse/JRASERVER-69246	Issue Tracking Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: atlassian

Published: 2019-04-29T00:00:00

Updated: 2019-04-30T15:28:27

Reserved: 2018-12-19T00:00:00

Link: CVE-2019-3399

JSON object: View

NVD Information

Status : Analyzed

Published: 2019-04-30T16:29:00.683

Modified: 2022-03-25T17:20:54.360

Link: CVE-2019-3399

JSON object: View

Redhat Information

No data.

CWE

{"containers": {"cna": {"affected": [{"product": "Jira", "vendor": "Atlassian", "versions": [{"lessThan": "7.13.2", "status": "affected", "version": "unspecified", "versionType": "custom"}, {"lessThan": "unspecified", "status": "affected", "version": "8.0.0", "versionType": "custom"}, {"lessThan": "8.0.2", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "datePublic": "2019-04-29T00:00:00", "descriptions": [{"lang": "en", "value": "The BrowseProjects.jspa resource in Jira before version 7.13.2, and from version 8.0.0 before version 8.0.2 allows remote attackers to see information for archived projects through a missing authorisation check."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-863", "description": "Incorrect Authorization (CWE-863)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2019-04-30T15:28:27", "orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66", "shortName": "atlassian"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://jira.atlassian.com/browse/JRASERVER-69246"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@atlassian.com", "DATE_PUBLIC": "2019-04-29T00:00:00", "ID": "CVE-2019-3399", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Jira", "version": {"version_data": [{"version_affected": "<", "version_value": "7.13.2"}, {"version_affected": ">=", "version_value": "8.0.0"}, {"version_affected": "<", "version_value": "8.0.2"}]}}]}, "vendor_name": "Atlassian"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The BrowseProjects.jspa resource in Jira before version 7.13.2, and from version 8.0.0 before version 8.0.2 allows remote attackers to see information for archived projects through a missing authorisation check."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Incorrect Authorization (CWE-863)"}]}]}, "references": {"reference_data": [{"name": "https://jira.atlassian.com/browse/JRASERVER-69246", "refsource": "MISC", "url": "https://jira.atlassian.com/browse/JRASERVER-69246"}]}}}}, "cveMetadata": {"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66", "assignerShortName": "atlassian", "cveId": "CVE-2019-3399", "datePublished": "2019-04-29T00:00:00", "dateReserved": "2018-12-19T00:00:00", "dateUpdated": "2019-04-30T15:28:27", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:atlassian:jira:*:*:*:*:*:*:*:*", "matchCriteriaId": "2DB85D56-71EA-478E-95CF-8CCD86367103", "versionEndExcluding": "7.13.2", "vulnerable": true}, {"criteria": "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "8D8211E1-DD5C-4518-894D-6F62B9C72B1A", "versionEndExcluding": "8.0.2", "versionStartIncluding": "8.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The BrowseProjects.jspa resource in Jira before version 7.13.2, and from version 8.0.0 before version 8.0.2 allows remote attackers to see information for archived projects through a missing authorisation check."}, {"lang": "es", "value": "El recurso BrowseProjects.jspa en Jira anterior a la versi\u00f3n 7.13.2 y desde la versi\u00f3n 8.0.0 anterior a la versi\u00f3n 8.0.2 permite a los atacantes remotos observar informaci\u00f3n de proyectos archivados por a una falta de comprobaci\u00f3n de autorizaci\u00f3n."}], "id": "CVE-2019-3399", "lastModified": "2022-03-25T17:20:54.360", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-04-30T16:29:00.683", "references": [{"source": "security@atlassian.com", "tags": ["Issue Tracking", "Vendor Advisory"], "url": "https://jira.atlassian.com/browse/JRASERVER-69246"}], "sourceIdentifier": "security@atlassian.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-863"}], "source": "security@atlassian.com", "type": "Secondary"}]}