Jira - Information Disclosure (CVE-2020-14179)
- Severity
- CVSSv3 Score
- 5.3
- Vulnerability description
Jira is affected by an Information Disclosure vulnerability, located in the
/secure/QueryComponent!Default.jspa
endpoint. This allows attackers to read sensitive information from the target system by sending a specially crafted HTTP GET request to the vulnerable endpoint. An unauthenticated attacker can view custom field names and custom SLA names from the Jira server and can potentially be a starting point for exposing an additional attack surface.- Risk description
The risk exists that a remote unauthenticated attacker could exploit this vulnerability to view custom field names and custom SLA names from the
QueryComponent
JSON file located on the file system of the server.- Exploit capabilities
Sniper can read arbitrary files from the target system and extract them as evidence.
- Recommendation
Upgrade Jira to the latest version.
- Codename
- Not available
- Detectable with
- Network Scanner
- Exploitable with Sniper
- Yes
- Vuln date
- Sep 2020
- Published at
- Updated at
- Software Type
- Project management
- Vendor
- Atlassian
- Product
- Jira