CVE-2019-20412 - Vulnerability Details

Vendors	Products
Atlassian	Jira Jira Data Center Jira Server Jira Software Data Center

Link	Providers
https://jira.atlassian.com/browse/JRASERVER-70882

Show plain JSON

{"containers": {"cna": {"affected": [{"product": "Jira Server", "vendor": "Atlassian", "versions": [{"lessThan": "7.13.9", "status": "affected", "version": "unspecified", "versionType": "custom"}, {"lessThan": "unspecified", "status": "affected", "version": "8.0.0", "versionType": "custom"}, {"lessThan": "8.4.2", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "datePublic": "2020-04-08T00:00:00", "descriptions": [{"lang": "en", "value": "The Convert Sub-Task to Issue page in affected versions of Atlassian Jira Server and Data Center allow remote attackers to enumerate the following information via an Improper Authentication vulnerability: Workflow names; Project Key, if it is part of the workflow name; Issue Keys; Issue Types; Status Types. The affected versions are before version 7.13.9, and from version 8.0.0 before 8.4.2."}], "problemTypes": [{"descriptions": [{"description": "Information Disclosure", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2020-06-29T05:50:11", "orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66", "shortName": "atlassian"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://jira.atlassian.com/browse/JRASERVER-70882"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@atlassian.com", "DATE_PUBLIC": "2020-04-08T00:00:00", "ID": "CVE-2019-20412", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Jira Server", "version": {"version_data": [{"version_affected": "<", "version_value": "7.13.9"}, {"version_affected": ">=", "version_value": "8.0.0"}, {"version_affected": "<", "version_value": "8.4.2"}]}}]}, "vendor_name": "Atlassian"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The Convert Sub-Task to Issue page in affected versions of Atlassian Jira Server and Data Center allow remote attackers to enumerate the following information via an Improper Authentication vulnerability: Workflow names; Project Key, if it is part of the workflow name; Issue Keys; Issue Types; Status Types. The affected versions are before version 7.13.9, and from version 8.0.0 before 8.4.2."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Information Disclosure"}]}]}, "references": {"reference_data": [{"name": "https://jira.atlassian.com/browse/JRASERVER-70882", "refsource": "MISC", "url": "https://jira.atlassian.com/browse/JRASERVER-70882"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T02:39:09.869Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://jira.atlassian.com/browse/JRASERVER-70882"}]}]}, "cveMetadata": {"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66", "assignerShortName": "atlassian", "cveId": "CVE-2019-20412", "datePublished": "2020-06-29T05:50:11.692351Z", "dateReserved": "2020-01-23T00:00:00", "dateUpdated": "2024-09-17T00:06:43.084Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{

containers : { »

cna : { »

affected : [ »

0 : { »

product : Jira Server (string)

vendor : Atlassian (string)

versions : [ »

0 : { »

lessThan : 7.13.9 (string)

status : affected (string)

version : unspecified (string)

versionType : custom (string)

}

1 : { »

lessThan : unspecified (string)

status : affected (string)

version : 8.0.0 (string)

versionType : custom (string)

}

2 : { »

lessThan : 8.4.2 (string)

status : affected (string)

version : unspecified (string)

versionType : custom (string)

}

]

}

]

datePublic : 2020-04-08T00:00:00 (string)

descriptions : [ »

0 : { »

lang : en (string)

value : The Convert Sub-Task to Issue page in affected versions of Atlassian Jira Server and Data Center allow remote attackers to enumerate the following information via an Improper Authentication vulnerability: Workflow names; Project Key, if it is part of the workflow name; Issue Keys; Issue Types; Status Types. The affected versions are before version 7.13.9, and from version 8.0.0 before 8.4.2. (string)

}

]

problemTypes : [ »

0 : { »

descriptions : [ »

0 : { »

description : Information Disclosure (string)

lang : en (string)

type : text (string)

}

]

}

]

providerMetadata : { »

dateUpdated : 2020-06-29T05:50:11 (string)

orgId : f08a6ab8-ed46-4c22-8884-d911ccfe3c66 (string)

shortName : atlassian (string)

}

references : [ »

0 : { »

tags : [ »

0 : x_refsource_MISC (string)

]

url : https://jira.atlassian.com/browse/JRASERVER-70882 (string)

}

]

x_legacyV4Record : { »

CVE_data_meta : { »

ASSIGNER : security@atlassian.com (string)

DATE_PUBLIC : 2020-04-08T00:00:00 (string)

ID : CVE-2019-20412 (string)

STATE : PUBLIC (string)

}

affects : { »

vendor : { »

vendor_data : [ »

0 : { »

product : { »

product_data : [ »

0 : { »

product_name : Jira Server (string)

version : { »

version_data : [ »

0 : { »

version_affected : < (string)

version_value : 7.13.9 (string)

}

1 : { »

version_affected : >= (string)

version_value : 8.0.0 (string)

}

2 : { »

version_affected : < (string)

version_value : 8.4.2 (string)

}

]

}

]

}

vendor_name : Atlassian (string)

}

]

}

data_format : MITRE (string)

data_type : CVE (string)

data_version : 4.0 (string)

description : { »

description_data : [ »

0 : { »

lang : eng (string)

value : The Convert Sub-Task to Issue page in affected versions of Atlassian Jira Server and Data Center allow remote attackers to enumerate the following information via an Improper Authentication vulnerability: Workflow names; Project Key, if it is part of the workflow name; Issue Keys; Issue Types; Status Types. The affected versions are before version 7.13.9, and from version 8.0.0 before 8.4.2. (string)

}

]

}

problemtype : { »

problemtype_data : [ »

0 : { »

description : [ »

0 : { »

lang : eng (string)

value : Information Disclosure (string)

}

]

}

]

}

references : { »

reference_data : [ »

0 : { »

name : https://jira.atlassian.com/browse/JRASERVER-70882 (string)

refsource : MISC (string)

url : https://jira.atlassian.com/browse/JRASERVER-70882 (string)

}

]

}

adp : [ »

0 : { »

providerMetadata : { »

orgId : af854a3a-2127-422b-91ae-364da2661108 (string)

shortName : CVE (string)

dateUpdated : 2024-08-05T02:39:09.869Z (string)

}

title : CVE Program Container (string)

references : [ »

0 : { »

tags : [ »

0 : x_refsource_MISC (string)

1 : x_transferred (string)

]

url : https://jira.atlassian.com/browse/JRASERVER-70882 (string)

}

]

}

]

}

cveMetadata : { »

assignerOrgId : f08a6ab8-ed46-4c22-8884-d911ccfe3c66 (string)

assignerShortName : atlassian (string)

cveId : CVE-2019-20412 (string)

datePublished : 2020-06-29T05:50:11.692351Z (string)

dateReserved : 2020-01-23T00:00:00 (string)

dateUpdated : 2024-09-17T00:06:43.084Z (string)

state : PUBLISHED (string)

}

dataType : CVE_RECORD (string)

dataVersion : 5.1 (string)

}

Show plain JSON

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:atlassian:jira:*:*:*:*:*:*:*:*", "matchCriteriaId": "1A5B1084-0838-4618-A0E0-C34E5A4DD438", "versionEndExcluding": "7.13.9", "vulnerable": true}, {"criteria": "cpe:2.3:a:atlassian:jira_data_center:*:*:*:*:*:*:*:*", "matchCriteriaId": "C66A32E0-AF2A-457D-8634-BC141F93EF97", "versionEndExcluding": "8.4.2", "versionStartIncluding": "8.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "B04AEDB9-DA55-4EB4-A30E-1487A1E352EA", "versionEndExcluding": "8.4.2", "versionStartIncluding": "8.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:atlassian:jira_software_data_center:*:*:*:*:*:*:*:*", "matchCriteriaId": "DD3FC6D0-18E4-4BF7-8DE2-3D03730A7AAF", "versionEndExcluding": "7.13.9", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The Convert Sub-Task to Issue page in affected versions of Atlassian Jira Server and Data Center allow remote attackers to enumerate the following information via an Improper Authentication vulnerability: Workflow names; Project Key, if it is part of the workflow name; Issue Keys; Issue Types; Status Types. The affected versions are before version 7.13.9, and from version 8.0.0 before 8.4.2."}, {"lang": "es", "value": "La p\u00e1gina Convert Sub-Task to Issue en las versiones afectadas de Atlassian Jira Server y Data Center, permite a atacantes remotos enumerar la siguiente informaci\u00f3n por medio de una vulnerabilidad de autenticaci\u00f3n incorrecta: Workflow names; Project Key, si forma parte del nombre del flujo de trabajo; Issue Keys; Issue Types; Status Types Las versiones afectadas son anteriores a la versi\u00f3n 7.13.9 y desde la versi\u00f3n 8.0.0 anteriores a 8.4.2"}], "id": "CVE-2019-20412", "lastModified": "2024-11-21T04:38:25.153", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-06-29T06:15:10.843", "references": [{"source": "security@atlassian.com", "tags": ["Vendor Advisory"], "url": "https://jira.atlassian.com/browse/JRASERVER-70882"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://jira.atlassian.com/browse/JRASERVER-70882"}], "sourceIdentifier": "security@atlassian.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-287"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{

configurations : [ »

0 : { »

nodes : [ »

0 : { »

cpeMatch : [ »

0 : { »

criteria : cpe:2.3:a:atlassian:jira:*:*:*:*:*:*:*:* (string)

matchCriteriaId : 1A5B1084-0838-4618-A0E0-C34E5A4DD438 (string)

versionEndExcluding : 7.13.9 (string)

vulnerable : true (boolean)

}

1 : { »

criteria : cpe:2.3:a:atlassian:jira_data_center:*:*:*:*:*:*:*:* (string)

matchCriteriaId : C66A32E0-AF2A-457D-8634-BC141F93EF97 (string)

versionEndExcluding : 8.4.2 (string)

versionStartIncluding : 8.0.0 (string)

vulnerable : true (boolean)

}

2 : { »

criteria : cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:* (string)

matchCriteriaId : B04AEDB9-DA55-4EB4-A30E-1487A1E352EA (string)

versionEndExcluding : 8.4.2 (string)

versionStartIncluding : 8.0.0 (string)

vulnerable : true (boolean)

}

3 : { »

criteria : cpe:2.3:a:atlassian:jira_software_data_center:*:*:*:*:*:*:*:* (string)

matchCriteriaId : DD3FC6D0-18E4-4BF7-8DE2-3D03730A7AAF (string)

versionEndExcluding : 7.13.9 (string)

vulnerable : true (boolean)

}

]

negate : false (boolean)

operator : OR (string)

}

]

}

]

descriptions : [ »

0 : { »

lang : en (string)

value : The Convert Sub-Task to Issue page in affected versions of Atlassian Jira Server and Data Center allow remote attackers to enumerate the following information via an Improper Authentication vulnerability: Workflow names; Project Key, if it is part of the workflow name; Issue Keys; Issue Types; Status Types. The affected versions are before version 7.13.9, and from version 8.0.0 before 8.4.2. (string)

}

1 : { »

lang : es (string)

value : La página Convert Sub-Task to Issue en las versiones afectadas de Atlassian Jira Server y Data Center, permite a atacantes remotos enumerar la siguiente información por medio de una vulnerabilidad de autenticación incorrecta: Workflow names; Project Key, si forma parte del nombre del flujo de trabajo; Issue Keys; Issue Types; Status Types Las versiones afectadas son anteriores a la versión 7.13.9 y desde la versión 8.0.0 anteriores a 8.4.2 (string)

}

]

id : CVE-2019-20412 (string)

lastModified : 2024-11-21T04:38:25.153 (string)

metrics : { »

cvssMetricV2 : [ »

0 : { »

acInsufInfo : false (boolean)

baseSeverity : MEDIUM (string)

cvssData : { »

accessComplexity : LOW (string)

accessVector : NETWORK (string)

authentication : NONE (string)

availabilityImpact : NONE (string)

baseScore : 5 (number)

confidentialityImpact : PARTIAL (string)

integrityImpact : NONE (string)

vectorString : AV:N/AC:L/Au:N/C:P/I:N/A:N (string)

version : 2.0 (string)

}

exploitabilityScore : 10 (number)

impactScore : 2.9 (number)

obtainAllPrivilege : false (boolean)

obtainOtherPrivilege : false (boolean)

obtainUserPrivilege : false (boolean)

source : nvd@nist.gov (string)

type : Primary (string)

userInteractionRequired : false (boolean)

}

]

cvssMetricV31 : [ »

0 : { »

cvssData : { »

attackComplexity : LOW (string)

attackVector : NETWORK (string)

availabilityImpact : NONE (string)

baseScore : 5.3 (number)

baseSeverity : MEDIUM (string)

confidentialityImpact : LOW (string)

integrityImpact : NONE (string)

privilegesRequired : NONE (string)

scope : UNCHANGED (string)

userInteraction : NONE (string)

vectorString : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N (string)

version : 3.1 (string)

}

exploitabilityScore : 3.9 (number)

impactScore : 1.4 (number)

source : nvd@nist.gov (string)

type : Primary (string)

}

]

}

published : 2020-06-29T06:15:10.843 (string)

references : [ »

0 : { »

source : security@atlassian.com (string)

tags : [ »

0 : Vendor Advisory (string)

]

url : https://jira.atlassian.com/browse/JRASERVER-70882 (string)

}

1 : { »

source : af854a3a-2127-422b-91ae-364da2661108 (string)

tags : [ »

0 : Vendor Advisory (string)

]

url : https://jira.atlassian.com/browse/JRASERVER-70882 (string)

}

]

sourceIdentifier : security@atlassian.com (string)

vulnStatus : Modified (string)

weaknesses : [ »

0 : { »

description : [ »

0 : { »

lang : en (string)

value : CWE-287 (string)

}

]

source : nvd@nist.gov (string)

type : Primary (string)

}

]

}

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

Affected Vendors & Products

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object