{"vulnerability": "CVE-2020-3623", "sightings": [{"uuid": "2d481f7b-e814-4729-9326-6bb349668a47", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2020-36239", "type": "seen", "source": "MISP/3379a8e9-a13c-42af-8a21-b1907a3be73e", "content": "", "creation_timestamp": "2024-11-14T06:09:24.000000Z"}, {"uuid": "99c555e8-4134-4df0-a13d-73081ccf5a14", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2020-36231", "type": "seen", "source": "https://t.me/cibsecurity/22934", "content": "\u203c CVE-2020-36231 \u203c\n\nAffected versions of Atlassian Jira Server and Data Center allow remote attackers to view the metadata of boards they should not have access to via an Insecure Direct Object References (IDOR) vulnerability. The affected versions are before version 8.5.10, and from version 8.6.0 before 8.13.2.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2021-02-02T02:25:19.000000Z"}, {"uuid": "6b7dbc4c-bd30-4d9b-a4fa-f226ff1426c9", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2020-36239", "type": "seen", "source": "https://t.me/cKure/6261", "content": "\u25a0\u25a0\u25a0\u25a0\u25a1 Multiple versions of its Jira Data Center and Jira Service Management Data Center product has\u00a0CVE-2020-36239; that can give remote attackers code execution abilities, due to\u00a0a missing authentication flaw in Ehcache RMI.\n\nhttps://www.bleepingcomputer.com/news/security/atlassian-asks-customers-to-patch-critical-jira-vulnerability/", "creation_timestamp": "2021-07-22T08:36:14.000000Z"}, {"uuid": "880c0e40-3e9d-41ce-978b-33b43a27c1f2", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2020-36239", "type": "seen", "source": "https://t.me/BleepingComputer/10187", "content": "Atlassian asks customers to patch critical Jira vulnerability\n\nAtlassian is prompting\u00a0its enterprise customers to patch a critical vulnerability in multiple versions of its Jira Data Center and Jira Service Management Data Center products. The vulnerability tracked as\u00a0CVE-2020-36239 can give remote attackers code execution abilities, due to\u00a0a missing authentication flaw in Ehcache RMI. [...]\n\nhttps://www.bleepingcomputer.com/news/security/atlassian-asks-customers-to-patch-critical-jira-vulnerability/", "creation_timestamp": "2021-07-22T18:24:23.000000Z"}, {"uuid": "af21c47b-15e7-43fb-9009-c7a20b308881", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2020-36239", "type": "published-proof-of-concept", "source": "https://t.me/ETHICALHACKERSCOMMUNITY2/349", "content": "Programmatically create hunting rules for deserialization exploitation (https://www.kitploit.com/search/label/Exploitation) with multiple    keywords (e.g. cmd.exe)  gadget chains (e.g. CommonsCollection)  object types (e.g. ViewState, Java, Python Pickle, PHP)  encodings (e.g. Base64, raw)  rule types (e.g. Snort, Yara)  \n  Disclaimer  Rules generated by this tool are intended for hunting/research purposes and are not designed for high fidelity/blocking purposes.  Please test thoroughly before deploying to any production systems.  The Yara rules are primarily intended for scanning web server logs. Some of the \"object prefixes\" are only 2 bytes long, so they can make large scans a bit slow. (Translation: please don't drop them all into VT Retrohunt.)  Usage  Help:  python3 heyserial.py -h  Examples:  python3 heyserial.py -c 'ExampleChain::condition1+condition2' -t JavaObj  python3 heyserial.py -k cmd.exe whoami 'This file cannot be run in DOS mode'  python3 heyserial.py -k Process.Start -t NETViewState -e base64 \"base64+utf16le\"    Utils  utils/checkyoself.py  This is a tool to automate bulk testing of Snort and Yara rules on a variety of sample files.  Usage:  python3 checkyoself.py [-y rules.yara] [-s rules.snort] [-o file_output_prefix] [--matches] [--misses] -d malware.exe malware.pcap  Examples:  python3 checkyoself.py -y rules/javaobj -s rules/javaobj -d payloads/javaobj pcaps --misses -o java_misses  utils/generate_payloads.ps1  YSoSerial.NET v1.34 payload generation. Run on Windows from the ./utils directory.    Source: https://github.com/pwntester/ysoserial.net  License: ysoserial.net_LICENSE.txt    utils/generate_payloads.sh  YSoSerial payload generation. Run on Linux from the ./utils directory.    Source: https://github.com/frohoff/ysoserial  License: ysoserial_LICENSE.txt    utils/install_snort.sh  Installing Snort on a Debian based system was a bit finnicky for me, so I wrote my install notes here.  Use at your own risk in a VM that you have snapshotted recently.  utils/server.py  Simple Python script that runs an HTTP server on 127.0.0.1:12345 and accepts POST requests.  Handy for generating test PCAPs.  License  Copyright (C) 2021 Alyssa Rahman, Mandiant, Inc. All Rights Reserved.  Licensed under the Apache License, Version 2.0 (the \"License\"); you may not use this file except in compliance with the License.  You may obtain a copy of the License at: [package root]/LICENSE.txt  Unless required by applicable law or agreed to in writing, software distributed (https://www.kitploit.com/search/label/Distributed) under the License is distributed on an \"AS IS\" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.  See the License for the specific language governing permissions and limitations under the License.  Contributing  Check out the Developers' guide (DEVELOPERS.md) for more details on extending HeySerial!  Prior Work/Related Resources  Tools    Deserialization-Cheat-Sheet (https://github.com/GrrrDog/Java-Deserialization-Cheat-Sheet) \u2013 @GrrrDog  Ysoserial (https://github.com/frohoff/ysoserial) - @frohoff  MarshalSec (https://github.com/frohoff/marshalsec) - @frohoff  Ysoserial (forked) (https://github.com/wh1t3p1g/ysoserial) - @wh1t3p1g  Ysoserial.NET (https://github.com/pwntester/ysoserial.net) and v2 branch (https://github.com/pwntester/ysoserial.net/tree/v2) - @pwntester  ViewGen (https://github.com/0xacb/viewgen) \u2013 0xacb  Rogue-JNDI (https://github.com/veracode-research/rogue-jndi) - @veracode-research    Vulnerabilities    Log4J (CVE-2021-44228 (https://www.lunasec.io/docs/blog/log4j-zero-day/))  Exchange (CVE-2021-42321 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42321))  Zoho ManageEngine (CVE-2020-10189 (https://nvd.nist.gov/vuln/detail/CVE-2020-10189))  Jira (CVE-2020-36239 (https://oxalis.io/atlassian-jira-data-centers-critical-vulnerability-what-you-need-to-know/))  Telerik (CVE-2019-18935", "creation_timestamp": "2022-05-12T22:17:01.000000Z"}, {"uuid": "f0bafc64-189f-4968-9459-62c9d7e4ba7b", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2020-36236", "type": "seen", "source": "https://t.me/cibsecurity/23582", "content": "\u203c CVE-2020-36236 \u203c\n\nAffected versions of Atlassian Jira Server and Data Center allow remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability in the ViewWorkflowSchemes.jspa and ListWorkflows.jspa endpoints. The affected versions are before version 8.5.11, from version 8.6.0 before 8.13.3, and from version 8.14.0 before 8.15.0.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2021-02-15T02:45:57.000000Z"}, {"uuid": "6db4bb7b-a6ba-492b-a4c4-2def1cb053a2", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2020-36237", "type": "seen", "source": "https://t.me/cibsecurity/23581", "content": "\u203c CVE-2020-36237 \u203c\n\nAffected versions of Atlassian Jira Server and Data Center allow unauthenticated remote attackers to view custom field options via an Information Disclosure vulnerability in the /rest/api/2/customFieldOption/ endpoint. The affected versions are before version 8.15.0.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2021-02-15T02:45:56.000000Z"}, {"uuid": "fc56fd59-2ad4-4182-b187-3e8c9fe557d9", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2020-36235", "type": "seen", "source": "https://t.me/cibsecurity/23580", "content": "\u203c CVE-2020-36235 \u203c\n\nAffected versions of Atlassian Jira Server and Data Center allow unauthenticated remote attackers to view custom field and custom SLA names via an Information Disclosure vulnerability in the mobile site view. The affected versions are before version 8.13.2, and from version 8.14.0 before 8.14.1.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2021-02-15T02:45:55.000000Z"}, {"uuid": "bf16fe25-b58d-49a8-bd04-1ab9a422d0d1", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2020-36234", "type": "seen", "source": "https://t.me/cibsecurity/23579", "content": "\u203c CVE-2020-36234 \u203c\n\nAffected versions of Atlassian Jira Server and Data Center allow remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability in the Screens Modal view. The affected versions are before version 8.5.11, from version 8.6.0 before 8.13.3, and from version 8.14.0 before 8.15.0.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2021-02-15T02:45:54.000000Z"}, {"uuid": "9bd4ccd5-d89c-4c74-b459-f0c74fba5d24", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2020-36239", "type": "seen", "source": "https://t.me/cibsecurity/26565", "content": "\u203c CVE-2020-36239 \u203c\n\nJira Data Center, Jira Core Data Center, Jira Software Data Center from version 6.3.0 before 8.5.16, from 8.6.0 before 8.13.8, from 8.14.0 before 8.17.0 and Jira Service Management Data Center from version 2.0.2 before 4.5.16, from version 4.6.0 before 4.13.8, and from version 4.14.0 before 4.17.0 exposed a Ehcache RMI network service which attackers, who can connect to the service, on port 40001 and potentially 40011[0][1], could execute arbitrary code of their choice in Jira through deserialization due to a missing authentication vulnerability. While Atlassian strongly suggests restricting access to the Ehcache ports to only Data Center instances, fixed versions of Jira will now require a shared secret in order to allow access to the Ehcache service. [0] In Jira Data Center, Jira Core Data Center, and Jira Software Data Center versions prior to 7.13.1, the Ehcache object port can be randomly allocated. [1] In Jira Service Management Data Center versions prior to 3.16.1, the Ehcache object port can be randomly allocated.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2021-07-29T14:14:13.000000Z"}, {"uuid": "ff365d3b-6a1a-46e4-af43-c86e842dddcb", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2020-36233", "type": "seen", "source": "https://t.me/cibsecurity/23835", "content": "\u203c CVE-2020-36233 \u203c\n\nThe Microsoft Windows Installer for Atlassian Bitbucket Server and Data Center before version 6.10.9, 7.x before 7.6.4, and from version 7.7.0 before 7.10.1 allows local attackers to escalate privileges because of weak permissions on the installation directory.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2021-02-18T22:50:28.000000Z"}, {"uuid": "2b8d5ec9-c4f5-4674-a963-eb0dd842c354", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2020-36232", "type": "seen", "source": "https://t.me/cibsecurity/23956", "content": "\u203c CVE-2020-36232 \u203c\n\nThe MessageBundleWhiteList class of atlassian-gadgets before version 4.2.37, from version 4.3.0 before 4.3.14, from version 4.3.2.0 before 4.3.2.4, from version 4.4.0 before 4.4.12, and from version 5.0.0 before 5.0.1 allowed unexpected DNS lookups and requests to arbitrary services as it incorrectly obtained application base url information from the executing http request which could be attacker controlled.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2021-02-23T00:33:57.000000Z"}, {"uuid": "c9819544-c932-478a-97a8-0fec0d442746", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2020-36239", "type": "published-proof-of-concept", "source": "https://t.me/CyberSecurityTechnologies/3988", "content": "#Offensive_security\n1. Developing an exploit for the Jira Data Center Ehcache RCE (CVE-2020-36239)\nhttps://dozer.nz/posts/CVE-2020-36239-POC-dev\n2. Playing with PuTTY\nhttps://labs.f-secure.com/blog/playing-with-putty", "creation_timestamp": "2021-08-04T11:28:13.000000Z"}]}