CVE-2018-13400

23.10.2018, 13:29

Several administrative resources in Atlassian Jira before version 7.6.9, from version 7.7.0 before version 7.7.5, from version 7.8.0 before version 7.8.5, from version 7.9.0 before version 7.9.3, from version 7.10.0 before version 7.10.3, from version 7.11.0 before version 7.11.3, from version 7.12.0 before version 7.12.3, and before version 7.13.1 allow remote attackers who have obtained access to administrator's session to access certain administrative resources without needing to re-authenticate to pass "WebSudo" through an improper access control vulnerability.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	4.7 MEDIUM	NETWORK	LOW	HIGH	CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L
atlassian	CNA	---				---
CVE	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 42%

Vendor	Product	Version
atlassian	jira	𝑥 < 7.6.9
atlassian	jira_server	7.7.0 ≤ 𝑥 < 7.7.5
atlassian	jira_server	7.8.0 ≤ 𝑥 < 7.8.5
atlassian	jira_server	7.9.0 ≤ 𝑥 < 7.9.3
atlassian	jira_server	7.10.0 ≤ 𝑥 < 7.10.3
atlassian	jira_server	7.11.0 ≤ 𝑥 < 7.11.3
atlassian	jira_server	7.12.0 ≤ 𝑥 < 7.12.3
atlassian	jira_server	7.13.0 ≤ 𝑥 < 7.13.1

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-269 - Improper Privilege Management
The software does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

References

http://www.securityfocus.com/bid/105751

https://jira.atlassian.com/browse/JRASERVER-68138

http://www.securityfocus.com/bid/105751

https://jira.atlassian.com/browse/JRASERVER-68138