CVE-2020-36232

The MessageBundleWhiteList class of atlassian-gadgets before version 4.2.37, from version 4.3.0 before 4.3.14, from version 4.3.2.0 before 4.3.2.4, from version 4.4.0 before 4.4.12, and from version 5.0.0 before 5.0.1 allowed unexpected DNS lookups and requests to arbitrary services as it incorrectly obtained application base url information from the executing http request which could be attacker controlled.
References
Link Resource
https://jira.atlassian.com/browse/JRASERVER-72025 Issue Tracking Patch Vendor Advisory
Configurations

Configuration 1 (hide)

AND
OR cpe:2.3:a:atlassian:atlassian-gadgets:*:*:*:*:*:atlassian:*:*
cpe:2.3:a:atlassian:atlassian-gadgets:*:*:*:*:*:atlassian:*:*
cpe:2.3:a:atlassian:atlassian-gadgets:*:*:*:*:*:atlassian:*:*
cpe:2.3:a:atlassian:atlassian-gadgets:*:*:*:*:*:atlassian:*:*
cpe:2.3:a:atlassian:atlassian-gadgets:*:*:*:*:*:atlassian:*:*
OR cpe:2.3:a:atlassian:data_center:*:*:*:*:*:*:*:*
cpe:2.3:a:atlassian:data_center:*:*:*:*:*:*:*:*
cpe:2.3:a:atlassian:jira_data_center:8.15.0:*:*:*:*:*:*:*
cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*
cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*
cpe:2.3:a:atlassian:jira_server:8.15.0:*:*:*:*:*:*:*

History

No history.

Information

Published : 2021-02-22 21:15

Updated : 2024-02-28 18:08


NVD link : CVE-2020-36232

Mitre link : CVE-2020-36232

CVE.ORG link : CVE-2020-36232


JSON object : View

Products Affected

atlassian

  • jira_server
  • jira_data_center
  • data_center
  • atlassian-gadgets
CWE
CWE-918

Server-Side Request Forgery (SSRF)