Atlassian JIRA ProfileLinkUserFormat Information Disclosure Vulnerability

medium Nessus Plugin ID 117338

Synopsis

The remote web server hosts a web application that is affected by a vulnerability which allows remote attackers who can access and view an issue the ability to obtain the email address of the reporter and assignee despite the email visibility setting being set to hidden.

Description

The ProfileLinkUserFormat component of Jira Server before version 7.6.8, from version 7.7.0 before version 7.7.5, from version 7.8.0 before version 7.8.5, from version 7.9.0 before version 7.9.3, from version 7.10.0 before version 7.10.3 and from version 7.11.0 before version 7.11.2 allows remote attackers who can access & view an issue to obtain the email address of the reporter and assignee user of an issue despite the configured email visibility setting being set to hidden.

Solution

Upgrade to Atlassian JIRA version 7.6.8 / 7.7.5 / 7.8.5 / 7.9.3 / 7.10.3 / 7.11.2 or later.

See Also

https://jira.atlassian.com/browse/JRASERVER-67750

Plugin Details

Severity: Medium

ID: 117338

File Name: jira_7_9_3_email_visibility.nasl

Version: 1.9

Type: combined

Agent: windows, macosx, unix

Family: CGI abuses

Published: 9/7/2018

Updated: 6/5/2024

Configuration: Enable thorough checks

Supported Sensors: Nessus Agent, Nessus

Enable CGI Scanning: true

Risk Information

VPR

Risk Factor: Low

Score: 1.4

CVSS v2

Risk Factor: Medium

Base Score: 5

Temporal Score: 3.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS Score Source: CVE-2018-13391

CVSS v3

Risk Factor: Medium

Base Score: 5.3

Temporal Score: 4.6

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:atlassian:jira

Required KB Items: installed_sw/Atlassian JIRA

Exploit Ease: No known exploits are available

Patch Publication Date: 8/10/2018

Vulnerability Publication Date: 8/10/2018

Reference Information

CVE: CVE-2018-13391

BID: 105165