Information disclosure in Jira Software - CVE-2020-14168

 

Information disclosure in Jira Software - CVE-2020-14168

Published: July 1, 2020 / Updated: July 17, 2020


Vulnerability identifier: #VU30152
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2020-14168
CWE-ID: CWE-200
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: Atlassian
Affected software:
Jira Software

Detailed vulnerability description

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

The email client in Jira Server and Data Center before version 7.13.16, from 8.5.0 before 8.5.7, from 8.8.0 before 8.8.2, and from 8.9.0 before 8.9.1 allows remote attackers to access outgoing emails between a Jira instance and the SMTP server via man-in-the-middle (MITM) vulnerability.


How to mitigate CVE-2020-14168

Install update from vendor's website.

Sources