CVE-2020-36232

The MessageBundleWhiteList class of atlassian-gadgets before version 4.2.37, from version 4.3.0 before 4.3.14, from version 4.3.2.0 before 4.3.2.4, from version 4.4.0 before 4.4.12, and from version 5.0.0 before 5.0.1 allowed unexpected DNS lookups and requests to arbitrary services as it incorrectly obtained application base url information from the executing http request which could be attacker controlled.
References
Link Resource
https://jira.atlassian.com/browse/JRASERVER-72025 Issue Tracking Patch Vendor Advisory
https://jira.atlassian.com/browse/JRASERVER-72025 Issue Tracking Patch Vendor Advisory
Configurations

Configuration 1 (hide)

AND
OR cpe:2.3:a:atlassian:atlassian-gadgets:*:*:*:*:*:atlassian:*:*
cpe:2.3:a:atlassian:atlassian-gadgets:*:*:*:*:*:atlassian:*:*
cpe:2.3:a:atlassian:atlassian-gadgets:*:*:*:*:*:atlassian:*:*
cpe:2.3:a:atlassian:atlassian-gadgets:*:*:*:*:*:atlassian:*:*
cpe:2.3:a:atlassian:atlassian-gadgets:*:*:*:*:*:atlassian:*:*
OR cpe:2.3:a:atlassian:data_center:*:*:*:*:*:*:*:*
cpe:2.3:a:atlassian:data_center:*:*:*:*:*:*:*:*
cpe:2.3:a:atlassian:jira_data_center:8.15.0:*:*:*:*:*:*:*
cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*
cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*
cpe:2.3:a:atlassian:jira_server:8.15.0:*:*:*:*:*:*:*

History

21 Nov 2024, 05:29

Type Values Removed Values Added
References () https://jira.atlassian.com/browse/JRASERVER-72025 - Issue Tracking, Patch, Vendor Advisory () https://jira.atlassian.com/browse/JRASERVER-72025 - Issue Tracking, Patch, Vendor Advisory

Information

Published : 2021-02-22 21:15

Updated : 2024-11-21 05:29


NVD link : CVE-2020-36232

Mitre link : CVE-2020-36232

CVE.ORG link : CVE-2020-36232


JSON object : View

Products Affected

atlassian

  • data_center
  • atlassian-gadgets
  • jira_data_center
  • jira_server
CWE
CWE-918

Server-Side Request Forgery (SSRF)