QID 150436

Date Published: 2021-12-09

QID 150436: Atlassian Jira Server User Email Enumeration Vulnerability (JRASERVER-72293)

Jira is a proprietary issue tracking product, product developed by Atlassian. It provides bug tracking, issue tracking, and project management functions.

The installed version of Jira Atlassian Server allow unauthenticated remote attackers to view users emails via an Information Disclosure vulnerability in the /rest/api/2/search endpoint.

Affected versions:
before version 8.5.13
from version 8.6.0 before 8.13.5
from version 8.14.0 before 8.15.1

Successful exploitation would lead attackers to enumerate the emails of users, which can help the attacker carry out further attacks and obtain sensitive information.

  • CVSS V3 rated as Medium - 5.3 severity.
  • CVSS V2 rated as Medium - 5 severity.
  • Solution
    Upgrade the Atlassian Jira to new version.
    Vendor References

    CVEs related to QID 150436

    Software Advisories
    Advisory ID Software Component Link
    JRASERVER-72293 URL Logo jira.atlassian.com/browse/JRASERVER-72293