A new vulnerability that enables an attacker to obtain sensitive user information has been discovered in Jira which is a popular system for bug tracking, interacting with users and project management.
The information disclosure vulnerability, tracked as CVE-2020-14181, has a CVSS score of 5.3 and was first found by Positive Technologies expert Mikhail Klyuchnikov. The vulnerability affects Jira Server and Data Center and occurs because any unauthorized user can access a specific script.
Jira’s developer Atlassian is known for making popular products that are used by 170,000 clients in over 190 countries and 83 percent of its customers are part of the Fortune Global 500.
Senior security researcher at Positive Technologies Mikhail Klyuchnikov provided further insight on the vulnerability he discovered in a press release, saying:
“Such vulnerabilities help attackers to significantly save time in their attempts to breach systems: they make it possible to determine the presence of an account with a particular login in the system. By bruteforcing various logins, attackers can identify which users are present in the system. If a login exists, the system discloses the user’s personal data (in cases where such data is present), and if a login is not found, the system reports it.
“After bruteforcing the existing logins, the attackers could go on to bruteforce the passwords of each existing user. Without this vulnerability, attackers would have to haphazardly bruteforce the passwords to logins which might not exist in the system. The vulnerability reduces the time hackers would need and decreases the probability of being detected, which, ultimately, makes the target less attractive for attackers. That’s why we strongly recommend installing the updates.”
Thankfully though, Atlassian has patched the vulnerability in product versions 7.13.6, 8.5.7 and 8.12.0 and customers should install it immediately to prevent falling victim to any potential attacks exploiting it.