Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

nvd логотип

CVE-2020-36239

Опубликовано: 29 июл. 2021
Источник: nvd
CVSS3: 9.8
CVSS2: 7.5
EPSS Средний

Описание

Jira Data Center, Jira Core Data Center, Jira Software Data Center from version 6.3.0 before 8.5.16, from 8.6.0 before 8.13.8, from 8.14.0 before 8.17.0 and Jira Service Management Data Center from version 2.0.2 before 4.5.16, from version 4.6.0 before 4.13.8, and from version 4.14.0 before 4.17.0 exposed a Ehcache RMI network service which attackers, who can connect to the service, on port 40001 and potentially 40011[0][1], could execute arbitrary code of their choice in Jira through deserialization due to a missing authentication vulnerability. While Atlassian strongly suggests restricting access to the Ehcache ports to only Data Center instances, fixed versions of Jira will now require a shared secret in order to allow access to the Ehcache service. [0] In Jira Data Center, Jira Core Data Center, and Jira Software Data Center versions prior to 7.13.1, the Ehcache object port can be randomly allocated. [1] In Jira Service Management Data Center versions prior to 3.16.1, the Ehcache o

Ссылки

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:atlassian:jira_data_center:*:*:*:*:*:*:*:*
Версия от 6.3.0 (включая) до 8.5.16 (исключая)
cpe:2.3:a:atlassian:jira_data_center:*:*:*:*:*:*:*:*
Версия от 8.6.0 (включая) до 8.13.8 (исключая)
cpe:2.3:a:atlassian:jira_data_center:*:*:*:*:*:*:*:*
Версия от 8.14.0 (включая) до 8.17.0 (исключая)
cpe:2.3:a:atlassian:jira_service_desk:*:*:*:*:data_center:*:*:*
Версия от 2.0.2 (включая) до 4.5.16 (исключая)
cpe:2.3:a:atlassian:jira_service_desk:*:*:*:*:data_center:*:*:*
Версия от 4.6.0 (включая) до 4.13.8 (исключая)
cpe:2.3:a:atlassian:jira_service_management:*:*:*:*:data_center:*:*:*
Версия от 4.14.0 (включая) до 4.17.0 (исключая)

EPSS

Процентиль: 95%
0.16173
Средний

9.8 Critical

CVSS3

7.5 High

CVSS2

Дефекты

CWE-862
CWE-306
CWE-862

Связанные уязвимости

github логотип

GHSA-2xhw-jfhh-p475

CVSS3: 9.8
github
больше 3 лет назад

Jira Data Center, Jira Core Data Center, Jira Software Data Center from version 6.3.0 before 8.5.16, from 8.6.0 before 8.13.8, from 8.14.0 before 8.17.0 and Jira Service Management Data Center from version 2.0.2 before 4.5.16, from version 4.6.0 before 4.13.8, and from version 4.14.0 before 4.17.0 exposed a Ehcache RMI network service which attackers, who can connect to the service, on port 40001 and potentially 40011[0][1], could execute arbitrary code of their choice in Jira through deserialization due to a missing authentication vulnerability. While Atlassian strongly suggests restricting access to the Ehcache ports to only Data Center instances, fixed versions of Jira will now require a shared secret in order to allow access to the Ehcache service. [0] In Jira Data Center, Jira Core Data Center, and Jira Software Data Center versions prior to 7.13.1, the Ehcache object port can be randomly allocated. [1] In Jira Service Management Data Center versions prior to 3.16.1, the Ehca...

fstec логотип

BDU:2021-04000

CVSS3: 8.8
fstec
больше 4 лет назад

Уязвимость сетевого сервиса Ehcache RMI программных продуктов для обработки данных Jira Data Center, Jira Core Data Center, Jira Software Data Center, позволяющая нарушителю выполнить произвольный код

EPSS

Процентиль: 95%
0.16173
Средний

9.8 Critical

CVSS3

7.5 High

CVSS2

Дефекты

CWE-862
CWE-306
CWE-862