CVE-2017-18101

Various administrative external system import resources in Atlassian JIRA Server (including JIRA Core) before version 7.6.5, from version 7.7.0 before version 7.7.3, from version 7.8.0 before version 7.8.3 and before version 7.9.0 allow remote attackers to run import operations and to determine if an internal service exists through missing permission checks.

CVSS v3 6.5 MEDIUM
CVSS v2.0 6.4 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 3.9 / Impact : 2.5

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

6.4^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:L/Au:N/C:P/I:P/A:N

Exploitability : 10.0 / Impact : 4.9

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
http://www.securityfocus.com/bid/103730	Broken Link
https://jira.atlassian.com/browse/JRASERVER-67107	Vendor Advisory
http://www.securityfocus.com/bid/103730	Broken Link
https://jira.atlassian.com/browse/JRASERVER-67107	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:atlassian:jira::::::::
	cpe:2.3:a:atlassian:jira_server::::::::
	cpe:2.3:a:atlassian:jira_server::::::::

History

21 Nov 2024, 03:19

Type	Values Removed	Values Added
References	~~() http://www.securityfocus.com/bid/103730 - Broken Link~~	() http://www.securityfocus.com/bid/103730 - Broken Link
References	~~() https://jira.atlassian.com/browse/JRASERVER-67107 - Vendor Advisory~~	() https://jira.atlassian.com/browse/JRASERVER-67107 - Vendor Advisory

Information

Published : 2018-04-10 13:29

Updated : 2024-11-21 03:19

NVD link : CVE-2017-18101

Mitre link : CVE-2017-18101

CVE.ORG link : CVE-2017-18101

JSON object : View

Products Affected

atlassian

jira_server
jira

CWE

CWE-284

Improper Access Control

CWE-862

Missing Authorization

{"id": "CVE-2017-18101", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 6.4, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 4.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.5, "exploitabilityScore": 3.9}]}, "published": "2018-04-10T13:29:00.383", "references": [{"url": "http://www.securityfocus.com/bid/103730", "tags": ["Broken Link"], "source": "security@atlassian.com"}, {"url": "https://jira.atlassian.com/browse/JRASERVER-67107", "tags": ["Vendor Advisory"], "source": "security@atlassian.com"}, {"url": "http://www.securityfocus.com/bid/103730", "tags": ["Broken Link"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://jira.atlassian.com/browse/JRASERVER-67107", "tags": ["Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "security@atlassian.com", "description": [{"lang": "en", "value": "CWE-284"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-862"}]}], "descriptions": [{"lang": "en", "value": "Various administrative external system import resources in Atlassian JIRA Server (including JIRA Core) before version 7.6.5, from version 7.7.0 before version 7.7.3, from version 7.8.0 before version 7.8.3 and before version 7.9.0 allow remote attackers to run import operations and to determine if an internal service exists through missing permission checks."}, {"lang": "es", "value": "Varos recursos administrativos de importaci\u00f3n de sistema externo en Atlassian JIRA Server (incluyendo JIRA Core), en versiones anteriores a la 7.6.5, de la versi\u00f3n 7.7.0 antes de la 7.7.3, de la versi\u00f3n 7.8.0 anterior a la 7.8.3 y antes de la versi\u00f3n 7.9.0, permite que atacantes remotos ejecuten operaciones de importaci\u00f3n y determinen si existe un servicio interno a trav\u00e9s de la falta de comprobaci\u00f3n de permisos."}], "lastModified": "2024-11-21T03:19:21.673", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:atlassian:jira:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "3517B751-F490-40D0-9612-F64511DA1D81", "versionEndExcluding": "7.6.5"}, {"criteria": "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D0281160-9946-46A0-A6FC-B63971CFDEA0", "versionEndExcluding": "7.7.3", "versionStartIncluding": "7.7.0"}, {"criteria": "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "DBBB1C9A-EB14-4C67-8077-D97CEE12525F", "versionEndExcluding": "7.8.3", "versionStartIncluding": "7.8.0"}], "operator": "OR"}]}], "sourceIdentifier": "security@atlassian.com"}