====================================================================

                             CERT-Renater

                 Note d'Information No. 2020/VULN584
_____________________________________________________________________

DATE                : 21/10/2020

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Atlassian Jira Server versions
                     prior to 8.12.3, 8.5.9, 8.13.1, 8.14.0, 7.13.18.

=====================================================================
https://jira.atlassian.com/browse/JRASERVER-71652
https://jira.atlassian.com/browse/JRASERVER-71696
_____________________________________________________________________

    Jira Server and Data CenterJRASERVER-71652
XSS in Jira issue filter export file via malicious full name -
CVE-2020-14184


Details

    Type:                Bug
    Status:              Closed (View Workflow)
    Priority:            Low
    Resolution:          Fixed
    Affects Version/s:   8.4.2, 8.10.0
    Fix Version/s:       8.12.3, 8.5.9, 8.13.1, 8.14.0
    Component/s:         User Management - Others
    Labels:              CVE-2020-14184 advisory cvss-medium security
                          security-imported xss

    Fixed in Long Term Support Release/s:  Download 8.5
    Introduced in Version:                 8.04
    Support reference count:               1
    Symptom Severity:                      Severity 3 - Minor
    Bug Fix Policy:                 View Atlassian Server bug fix policy


Description

Affected versions of Atlassian Jira Server allow remote attackers to
inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS)
vulnerability in Jira issue filter export files.

_____________________________________________________________________


    Jira Server and Data CenterJRASERVER-71696
Unauthenticated user can Enumerate Issue Keys - CVE-2020-14185


Details

    Type:                Public Security Vulnerability
    Status:              Published (View Workflow)
    Priority:            Low
    Resolution:          Fixed
    Affects Version/s:   8.5.0, 8.6.0, 7.13.17
    Fix Version/s:       7.13.18, 8.5.9, 8.14.0
    Component/s:         None
    Labels:              CVE-2020-14185 advisory advisory-to-release
                          basm cvss-low dont-import security

    CVSS Score:          3.7
    CVSS Severity:       Low


Description

Affected versions of Jira Server allow remote unauthenticated attackers
to enumerate issue keys via a missing permissions check in the
ActionsAndOperations resource.

The affected versions are before 7.13.18, from version 8.0.0 before
8.5.9, and from version 8.6.0 before version 8.12.2.

Affected versions:

    version < 7.13.18
    8.0.0 ≤ version < 7.13.18
    8.6.0 ≤ version < 8.12.2

Fixed versions:

    7.13.18

=========================================================
+ CERT-RENATER       |    tel : 01-53-94-20-44          +
+ 23/25 Rue Daviel   |    fax : 01-53-94-20-41          +
+ 75013 Paris        |    email:cert@support.renater.fr +
=========================================================