CVE-2020-4028

Published: Jun 23, 2020Modified: Nov 21, 2024

5.3

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Exploitability: 3.9 / Impact: 1.4

Source: NVD

Description

Versions before 8.9.1, Various resources in Jira responded with a 404 instead of redirecting unauthenticated users to the login page, in some situations this may have allowed unauthorised attackers to determine if certain resources exist or not through an Information Disclosure vulnerability.

Affected (2)

Products: Atlassian: Jira, Jira Software Data Center

2 products

Jira Software Data Center

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Atlassian Jira	Before 8.9.1
Atlassian Jira Software Data Center	Before 8.9.1

Related CWEs

Observable Discrepancy

The product behaves differently or sends different responses under different circumstances in a way that is observable to an unauthorized actor, which exposes security-relevant information about the state of the product, such as whether a particular operation was successful or not.

References (2)

https://jira.atlassian.com/browse/JRASERVER-71175

Source: security@atlassian.com

Issue TrackingVendor Advisory

https://jira.atlassian.com/browse/JRASERVER-71175

Source: af854a3a-2127-422b-91ae-364da2661108

Issue TrackingVendor Advisory

Timeline

No history available yet.