cnvd - cnvd-2021-39166

cnvd-2021-39166

Vulnerability from cnvd

Title: Atlassian JIRA Server和Data Center授权问题漏洞（CNVD-2021-39166）

Description:

Atlassian JIRA Server和Atlassian JIRA Data Center都是澳大利亚Atlassian（Atlassian）公司的产品。Atlassian JIRA Server是一套缺陷跟踪管理系统的服务器版本。该系统主要用于对工作中各类问题、缺陷进行跟踪管理。Atlassian JIRA Data Center是Atlassian JIRA的数据中心版本。

Atlassian JIRA Server和Data Center 8.9.0之前版本中的UniversalAvatarResource.getAvatars资源存在授权问题漏洞。该漏洞源于网络系统或产品中缺少身份验证措施或身份验证强度不足。远程攻击者可利用该漏洞获取有关自定义项目头像名称的信息。

Severity: 中

Patch Name: Atlassian JIRA Server和Data Center授权问题漏洞（CNVD-2021-39166）的补丁

Patch Description:

Atlassian JIRA Server和Data Center 8.9.0之前版本中的UniversalAvatarResource.getAvatars资源存在授权问题漏洞。该漏洞源于网络系统或产品中缺少身份验证措施或身份验证强度不足。远程攻击者可利用该漏洞获取有关自定义项目头像名称的信息。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description:

目前厂商已发布升级补丁以修复漏洞，补丁获取链接： https://jira.atlassian.com/browse/JRASERVER-71185

Reference: https://nvd.nist.gov/vuln/detail/CVE-2020-14165

Impacted products

Name
['Atlassian JIRA Server <8.9.0', 'Atlassian Jira Data Center <8.9.0']

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2020-14165"
    }
  },
  "description": "Atlassian JIRA Server\u548cAtlassian JIRA Data Center\u90fd\u662f\u6fb3\u5927\u5229\u4e9aAtlassian\uff08Atlassian\uff09\u516c\u53f8\u7684\u4ea7\u54c1\u3002Atlassian JIRA Server\u662f\u4e00\u5957\u7f3a\u9677\u8ddf\u8e2a\u7ba1\u7406\u7cfb\u7edf\u7684\u670d\u52a1\u5668\u7248\u672c\u3002\u8be5\u7cfb\u7edf\u4e3b\u8981\u7528\u4e8e\u5bf9\u5de5\u4f5c\u4e2d\u5404\u7c7b\u95ee\u9898\u3001\u7f3a\u9677\u8fdb\u884c\u8ddf\u8e2a\u7ba1\u7406\u3002Atlassian JIRA Data Center\u662fAtlassian JIRA\u7684\u6570\u636e\u4e2d\u5fc3\u7248\u672c\u3002\n\nAtlassian JIRA Server\u548cData Center 8.9.0\u4e4b\u524d\u7248\u672c\u4e2d\u7684UniversalAvatarResource.getAvatars\u8d44\u6e90\u5b58\u5728\u6388\u6743\u95ee\u9898\u6f0f\u6d1e\u3002\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u7f51\u7edc\u7cfb\u7edf\u6216\u4ea7\u54c1\u4e2d\u7f3a\u5c11\u8eab\u4efd\u9a8c\u8bc1\u63aa\u65bd\u6216\u8eab\u4efd\u9a8c\u8bc1\u5f3a\u5ea6\u4e0d\u8db3\u3002\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u83b7\u53d6\u6709\u5173\u81ea\u5b9a\u4e49\u9879\u76ee\u5934\u50cf\u540d\u79f0\u7684\u4fe1\u606f\u3002",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u53d1\u5e03\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6f0f\u6d1e\uff0c\u8865\u4e01\u83b7\u53d6\u94fe\u63a5\uff1a\r\nhttps://jira.atlassian.com/browse/JRASERVER-71185",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2021-39166",
  "openTime": "2021-06-03",
  "patchDescription": "Atlassian JIRA Server\u548cAtlassian JIRA Data Center\u90fd\u662f\u6fb3\u5927\u5229\u4e9aAtlassian\uff08Atlassian\uff09\u516c\u53f8\u7684\u4ea7\u54c1\u3002Atlassian JIRA Server\u662f\u4e00\u5957\u7f3a\u9677\u8ddf\u8e2a\u7ba1\u7406\u7cfb\u7edf\u7684\u670d\u52a1\u5668\u7248\u672c\u3002\u8be5\u7cfb\u7edf\u4e3b\u8981\u7528\u4e8e\u5bf9\u5de5\u4f5c\u4e2d\u5404\u7c7b\u95ee\u9898\u3001\u7f3a\u9677\u8fdb\u884c\u8ddf\u8e2a\u7ba1\u7406\u3002Atlassian JIRA Data Center\u662fAtlassian JIRA\u7684\u6570\u636e\u4e2d\u5fc3\u7248\u672c\u3002\r\n\r\nAtlassian JIRA Server\u548cData Center 8.9.0\u4e4b\u524d\u7248\u672c\u4e2d\u7684UniversalAvatarResource.getAvatars\u8d44\u6e90\u5b58\u5728\u6388\u6743\u95ee\u9898\u6f0f\u6d1e\u3002\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u7f51\u7edc\u7cfb\u7edf\u6216\u4ea7\u54c1\u4e2d\u7f3a\u5c11\u8eab\u4efd\u9a8c\u8bc1\u63aa\u65bd\u6216\u8eab\u4efd\u9a8c\u8bc1\u5f3a\u5ea6\u4e0d\u8db3\u3002\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u83b7\u53d6\u6709\u5173\u81ea\u5b9a\u4e49\u9879\u76ee\u5934\u50cf\u540d\u79f0\u7684\u4fe1\u606f\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Atlassian JIRA Server\u548cData Center\u6388\u6743\u95ee\u9898\u6f0f\u6d1e\uff08CNVD-2021-39166\uff09\u7684\u8865\u4e01",
  "products": {
    "product": [
      "Atlassian JIRA Server \u003c8.9.0",
      "Atlassian Jira Data Center \u003c8.9.0"
    ]
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2020-14165",
  "serverity": "\u4e2d",
  "submitTime": "2020-07-02",
  "title": "Atlassian JIRA Server\u548cData Center\u6388\u6743\u95ee\u9898\u6f0f\u6d1e\uff08CNVD-2021-39166\uff09"
}

CVE-2020-14165 (GCVE-0-2020-14165)

Vulnerability from cvelistv5

Published

2020-07-01 01:35

Modified

2024-09-16 22:26

Severity ?

CWE

Improper authorization

Summary

The UniversalAvatarResource.getAvatars resource in Jira Server and Data Center before version 8.9.0 allows remote attackers to obtain information about custom project avatars names via an Improper authorization vulnerability.

References

▼	URL	Tags
	https://jira.atlassian.com/browse/JRASERVER-71185	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	Atlassian	Jira Server and Data Center	Version: unspecified < 8.9.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T12:39:36.024Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://jira.atlassian.com/browse/JRASERVER-71185"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Jira Server and Data Center",
          "vendor": "Atlassian",
          "versions": [
            {
              "lessThan": "8.9.0",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        }
      ],
      "datePublic": "2020-07-01T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "The UniversalAvatarResource.getAvatars resource in Jira Server and Data Center before version 8.9.0 allows remote attackers to obtain information about custom project avatars names via an Improper authorization vulnerability."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Improper authorization",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2020-07-01T01:35:25",
        "orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
        "shortName": "atlassian"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://jira.atlassian.com/browse/JRASERVER-71185"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security@atlassian.com",
          "DATE_PUBLIC": "2020-07-01T00:00:00",
          "ID": "CVE-2020-14165",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Jira Server and Data Center",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c",
                            "version_value": "8.9.0"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Atlassian"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "The UniversalAvatarResource.getAvatars resource in Jira Server and Data Center before version 8.9.0 allows remote attackers to obtain information about custom project avatars names via an Improper authorization vulnerability."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Improper authorization"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://jira.atlassian.com/browse/JRASERVER-71185",
              "refsource": "MISC",
              "url": "https://jira.atlassian.com/browse/JRASERVER-71185"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
    "assignerShortName": "atlassian",
    "cveId": "CVE-2020-14165",
    "datePublished": "2020-07-01T01:35:25.806770Z",
    "dateReserved": "2020-06-16T00:00:00",
    "dateUpdated": "2024-09-16T22:26:41.672Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted