CVE-2020-36232 - The MessageBundleWhiteList class of atlassian-gadgets before version 4.2.37, from version 4.3.0 befo

CVE-2020-36232

Summary

The MessageBundleWhiteList class of atlassian-gadgets before version 4.2.37, from version 4.3.0 before 4.3.14, from version 4.3.2.0 before 4.3.2.4, from version 4.4.0 before 4.4.12, and from version 5.0.0 before 5.0.1 allowed unexpected DNS lookups and requests to arbitrary services as it incorrectly obtained application base url information from the executing http request which could be attacker controlled.

References

https://jira.atlassian.com/browse/JRASERVER-72025

Vulnerable Configurations

cpe:2.3:a:atlassian:atlassian-gadgets:*:*:*:*:*:atlassian:*:*
cpe:2.3:a:atlassian:atlassian-gadgets:*:*:*:*:*:atlassian:*:*
cpe:2.3:a:atlassian:data_center:*:*:*:*:*:*:*:*
cpe:2.3:a:atlassian:data_center:*:*:*:*:*:*:*:*
cpe:2.3:a:atlassian:jira_data_center:8.15.0:*:*:*:*:*:*:*
cpe:2.3:a:atlassian:jira_data_center:8.15.0:*:*:*:*:*:*:*
cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*
cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*
cpe:2.3:a:atlassian:jira_server:8.15.0:*:*:*:*:*:*:*
cpe:2.3:a:atlassian:jira_server:8.15.0:*:*:*:*:*:*:*

CVSS

Base:	4.0 (as of 30-03-2022 - 13:29)
Impact:
Exploitability:

CWE

CWE-918

CAPEC

Access

Vector	Complexity	Authentication
NETWORK	LOW	SINGLE

Impact

Confidentiality	Integrity	Availability
PARTIAL	NONE	NONE

cvss-vector via4

AV:N/AC:L/Au:S/C:P/I:N/A:N

Last major update

30-03-2022 - 13:29

Published

22-02-2021 - 21:15

Last modified

30-03-2022 - 13:29