Security Announcement-Statement on Atlassian Jira username disclosure vulnerability notice CVE-2020-14181
25-02-2021Overview
The background of security vulnerability
JIRA is a defect tracking and project management software written in JAVA language. It is widely used in defect tracking, customer service, requirements collection, process approval, task tracking, project tracking and agile management. It can be used with SVN, CVS, Git and other version control programs can also be integrated with IDEs such as Eclipse and IntelliJ IDEA through Atlassian IDE Connector. Recently, the H3C Offensive and Defense Laboratory monitored that Atlassian Jira officially released an information disclosure vulnerability repair notice (CVE-2020-13937), which was reproduced and analyzed.
The description of vulnerability
An api in the affected version of Atlassian Jira can be accessed directly without any authentication. Through this interface, you can query whether the user name exists. An unauthorized remote attacker can use this vulnerability to enumerate all existing users and reduces the difficulty for the next attack.
The reproduce of security vulnerability
Set up a vulnerable environment (Atlassian Jira 7.3.3), which can be accessed successfully.
Access the api interface directly without any authentication, and traverse the username to determine whether it exists.
When the user name does not exist:
When the user name exists:
The scope of influence
Jira< 7.13.6
Jira8.0.0 - 8.5.7
Jira8.6.0 - 8.12.0
Severity level: moderately dangerous
Solution
The official patch
At present, the manufacturer has fixed the vulnerability in the new version, please upgrade to 7.13.6, 8.5.7, 8.12.0 and above in time, download link: https://www.atlassian.com/zh/software/jira/download
The solution of H3C
Xin H3C IPS rule base will support the identification of this vulnerability in version 1.0.109. It is recommended to pay attention to Xin H3C official website to update the version in time and enable relevant rules
Reference link
H3C security emergency response external service
H3C advocates that every effort be made to safeguard the ultimate interests of product users, to abide by principles of responsible disclosure of security incidents, and to handle product security issues in accordance with security issues mechanisms. For information on H3C's security emergency response service and H3C product vulnerabilities, please visit https://www.h3c.com/en/Support/Online_Help/psirt/.