CVE-2020-36287 - OpenCVE

The dashboard gadgets preference resource of the Atlassian gadgets plugin used in Jira Server and Jira Data Center before version 8.13.5, and from version 8.14.0 before version 8.15.1 allows remote anonymous attackers to obtain gadget related settings via a missing permissions check.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:L/Au:N/C:P/I:N/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Atlassian	Jira Server Jira Data Center Data Center Jira

Configuration 1 [-]

OR	cpe:2.3:a:atlassian:data_center::::::::
	cpe:2.3:a:atlassian:jira::::::::
	cpe:2.3:a:atlassian:jira_data_center::::::::
	cpe:2.3:a:atlassian:jira_server::::::::

References

Link	Resource
https://jira.atlassian.com/browse/JRASERVER-72258	Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: atlassian

Published: 2021-04-09T00:00:00

Updated: 2021-04-09T02:00:13

Reserved: 2021-03-31T00:00:00

Link: CVE-2020-36287

JSON object: View

NVD Information

Status : Analyzed

Published: 2021-04-09T02:15:12.960

Modified: 2022-09-20T19:28:33.500

Link: CVE-2020-36287

JSON object: View

Redhat Information

No data.

CWE

{"containers": {"cna": {"affected": [{"product": "Jira Server", "vendor": "Atlassian", "versions": [{"lessThan": "8.13.5", "status": "affected", "version": "unspecified", "versionType": "custom"}, {"lessThan": "unspecified", "status": "affected", "version": "8.14.0", "versionType": "custom"}, {"lessThan": "8.15.1", "status": "affected", "version": "unspecified", "versionType": "custom"}]}, {"product": "Jira Data Center", "vendor": "Atlassian", "versions": [{"lessThan": "8.13.5", "status": "affected", "version": "unspecified", "versionType": "custom"}, {"lessThan": "unspecified", "status": "affected", "version": "8.14.0", "versionType": "custom"}, {"lessThan": "8.15.1", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "datePublic": "2021-04-09T00:00:00", "descriptions": [{"lang": "en", "value": "The dashboard gadgets preference resource of the Atlassian gadgets plugin used in Jira Server and Jira Data Center before version 8.13.5, and from version 8.14.0 before version 8.15.1 allows remote anonymous attackers to obtain gadget related settings via a missing permissions check."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-863", "description": "Incorrect Authorization (CWE-863)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-04-09T02:00:13", "orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66", "shortName": "atlassian"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://jira.atlassian.com/browse/JRASERVER-72258"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@atlassian.com", "DATE_PUBLIC": "2021-04-09T00:00:00", "ID": "CVE-2020-36287", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Jira Server", "version": {"version_data": [{"version_affected": "<", "version_value": "8.13.5"}, {"version_affected": ">=", "version_value": "8.14.0"}, {"version_affected": "<", "version_value": "8.15.1"}]}}, {"product_name": "Jira Data Center", "version": {"version_data": [{"version_affected": "<", "version_value": "8.13.5"}, {"version_affected": ">=", "version_value": "8.14.0"}, {"version_affected": "<", "version_value": "8.15.1"}]}}]}, "vendor_name": "Atlassian"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The dashboard gadgets preference resource of the Atlassian gadgets plugin used in Jira Server and Jira Data Center before version 8.13.5, and from version 8.14.0 before version 8.15.1 allows remote anonymous attackers to obtain gadget related settings via a missing permissions check."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Incorrect Authorization (CWE-863)"}]}]}, "references": {"reference_data": [{"name": "https://jira.atlassian.com/browse/JRASERVER-72258", "refsource": "MISC", "url": "https://jira.atlassian.com/browse/JRASERVER-72258"}]}}}}, "cveMetadata": {"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66", "assignerShortName": "atlassian", "cveId": "CVE-2020-36287", "datePublished": "2021-04-09T00:00:00", "dateReserved": "2021-03-31T00:00:00", "dateUpdated": "2021-04-09T02:00:13", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:atlassian:data_center:*:*:*:*:*:*:*:*", "matchCriteriaId": "97107452-2B55-47E7-94EC-EF0504CA5E87", "versionEndExcluding": "8.13.5", "vulnerable": true}, {"criteria": "cpe:2.3:a:atlassian:jira:*:*:*:*:*:*:*:*", "matchCriteriaId": "85F720A3-5688-412C-8DFD-DA1E2FB2B684", "versionEndExcluding": "8.13.5", "vulnerable": true}, {"criteria": "cpe:2.3:a:atlassian:jira_data_center:*:*:*:*:*:*:*:*", "matchCriteriaId": "9F4C4682-A56A-4BEA-AFD7-6F116FCE8EF9", "versionEndExcluding": "8.15.1", "versionStartIncluding": "8.14.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "3C31DC16-F8E3-4261-B539-C251E4BBC584", "versionEndExcluding": "8.15.1", "versionStartIncluding": "8.14.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The dashboard gadgets preference resource of the Atlassian gadgets plugin used in Jira Server and Jira Data Center before version 8.13.5, and from version 8.14.0 before version 8.15.1 allows remote anonymous attackers to obtain gadget related settings via a missing permissions check."}, {"lang": "es", "value": "El recurso de preferencia de gadgets del panel de control del plugin de gadgets de Atlassian usado en Jira Server y Jira Data Center versiones anteriores a 8.13.5, y desde versi\u00f3n 8.14.0 anterior a 8.15.1, permite a atacantes remotos y an\u00f3nimos obtener configuraciones relacionadas con gadgets por medio de una falta de comprobaci\u00f3n de permisos"}], "id": "CVE-2020-36287", "lastModified": "2022-09-20T19:28:33.500", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-04-09T02:15:12.960", "references": [{"source": "security@atlassian.com", "tags": ["Vendor Advisory"], "url": "https://jira.atlassian.com/browse/JRASERVER-72258"}], "sourceIdentifier": "security@atlassian.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-863"}], "source": "security@atlassian.com", "type": "Secondary"}]}