==================================================================== CERT-Renater Note d'Information No. 2020/VULN530 _____________________________________________________________________ DATE : 22/09/2020 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Atlassian Jira Server and Data Center versions prior to 8.12.0, 7.13.16, 8.5.7. ===================================================================== https://jira.atlassian.com/browse/JRASERVER-71560 _____________________________________________________________________ User Enumeration via /ViewUserHover.jspa - CVE-2020-14181 Details Type: Bug Status: Closed (View Workflow) Priority: Low Resolution: Fixed Affects Version/s: 5.0 Fix Version/s: 8.12.0, 7.13.16, 8.5.7 Component/s: Project Administration - Components Labels: advisory cve-2020-14181 information-disclosure Fixed in Long Term Support Release/s: Download 7.13, 8.5 Introduced in Version: 5 Symptom Severity: Severity 3 - Minor Bug Fix Policy: View Atlassian Server bug fix policy Description Affected versions of Atlassian Jira Server and Data Center allow an unauthenticated user to enumerate users via an Information Disclosure vulnerability in the /ViewUserHover.jspa endpoint. This vulnerability was discovered by Mikhail Klyuchnikov of Positive Technologies. Affected versions: version < 7.13.6 8.0.0 ≤ version < 8.5.7 8.6.0 ≤ version < 8.12.0 Fixed versions: 7.13.6 8.5.7 8.12.0 Issue Links is detailed by VULN-164855 ========================================================= + CERT-RENATER       |    tel : 01-53-94-20-44          + + 23/25 Rue Daviel   |    fax : 01-53-94-20-41          + + 75013 Paris        |    email:cert@support.renater.fr + =========================================================