Detections
Analytics
Atlassian Jira < 7.13.14 / 8.5.x < 8.5.5 / 8.8.x < 8.8.2 / 8.9.0 < 8.9.1 MitM (JRASERVER-71198)
medium Nessus Plugin ID 138329
Language:
Synopsis
The remote web server hosts a web application that is affected by a man-in-the-middle vulnerability.Description
According to its self-reported version number, the instance of Atlassian Jira hosted on the remote web server is prior to 7.13.14, or version 8.5.x prior to 8.5.5, 8.8.x prior to 8.8.2, or 8.9.x prior to 8.9.1. It is, therefore, affected by a man-in-the-middle (MitM) vulnerability in the email client of Jira Server and Data Center. A remote, unauthenticated attacker can exploit this in order to access outgoing emails between a Jira instance and the SMTP server.Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.
Solution
Upgrade to Atlassian Jira version 7.13.16, 8.5.7, 8.8.2, 8.9.1, 8.10.0 or later.See Also
https://jira.atlassian.com/browse/JRASERVER-71198
http://www.nessus.org/u?a0476f57
Plugin Details
Severity: Medium
ID: 138329
File Name: jira_8_10_0_jraserver-71198.nasl
Version: 1.7
Type: combined
Agent: windows, macosx, unix
Family: CGI abuses
Published: 7/9/2020
Updated: 6/5/2024
Configuration: Enable thorough checks
Supported Sensors: Nessus Agent, Nessus
Enable CGI Scanning: true
Risk Information
VPR
Risk Factor: Low
Score: 3.6
CVSS v2
Risk Factor: Medium
Base Score: 4.3
Temporal Score: 3.2
Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N
CVSS Score Source: CVE-2020-14168
CVSS v3
Risk Factor: Medium
Base Score: 5.9
Temporal Score: 5.2
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C
Vulnerability Information
CPE: cpe:/a:atlassian:jira
Required KB Items: installed_sw/Atlassian JIRA
Exploit Ease: No known exploits are available
Patch Publication Date: 6/18/2020
Vulnerability Publication Date: 6/18/2020
Reference Information
CVE: CVE-2020-14168
IAVA: 2020-A-0284-S