CVE-2020-14181

high-risk

Published 2020-09-17

Affected versions of Atlassian Jira Server and Data Center allow an unauthenticated user to enumerate users via an Information Disclosure vulnerability in the /ViewUserHover.jspa endpoint. The affected versions are before version 7.13.6, from version 8.0.0 before 8.5.7, and from version 8.6.0 before 8.12.0.

Do I need to act?

93.0% chance of exploitation in next 30 days

EPSS score — higher than 7% of all CVEs

Not on CISA KEV list

No confirmed active exploitation reported to CISA

1 public exploit available

49633

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 5.3/10 Medium

NETWORK / LOW complexity

Affected Products (3)

Data Center

Jira

Jira Server

Affected Vendors

Atlassian

References (4)

Exploit http://packetstormsecurity.com/files/161730/Atlassian-JIRA-8.11.1-User-Enumerati...

Issue Tracking https://jira.atlassian.com/browse/JRASERVER-71560

Exploit http://packetstormsecurity.com/files/161730/Atlassian-JIRA-8.11.1-User-Enumerati...

Issue Tracking https://jira.atlassian.com/browse/JRASERVER-71560

/ 100

high-risk

Severity 21/34 · High

Exploitability 20/34 · Moderate

Exposure 9/34 · Low