CVE-2020-36238
01.04.2021, 03:15
The /rest/api/1.0/render resource in Jira Server and Data Center before version 8.5.13, from version 8.6.0 before version 8.13.5, and from version 8.14.0 before version 8.15.1 allows remote anonymous attackers to determine if a username is valid or not via a missing permissions check.Enginsight
| Vendor | Product | Version |
|---|---|---|
| atlassian | data_center | 𝑥 < 8.5.13 |
| atlassian | jira | 𝑥 < 8.5.13 |
| atlassian | jira_data_center | 8.6.0 ≤ 𝑥 < 8.13.5 |
| atlassian | jira_data_center | 8.14.0 ≤ 𝑥 < 8.15.1 |
| atlassian | jira_server | 8.6.0 ≤ 𝑥 < 8.13.5 |
| atlassian | jira_server | 8.14.0 ≤ 𝑥 < 8.15.1 |
𝑥
= Vulnerable software versions
Common Weakness Enumeration
- CWE-863 - Incorrect AuthorizationThe software performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.
- CWE-862 - Missing AuthorizationThe software does not perform an authorization check when an actor attempts to access a resource or perform an action.