Atlassian JIRA ProfileLinkUserFormat Information Disclosure Vulnerability

Medium Nessus Plugin ID 117338

Synopsis

The remote web server hosts a web application that is affected by a vulnerability which allows remote attackers who can access and view an issue the ability to obtain the email address of the reporter and assignee despite the email visibility setting being set to hidden.

Description

The ProfileLinkUserFormat component of Jira Server before version 7.6.8, from version 7.7.0 before version 7.7.5, from version 7.8.0 before version 7.8.5, from version 7.9.0 before version 7.9.3, from version 7.10.0 before version 7.10.3 and from version 7.11.0 before version 7.11.2 allows remote attackers who can access & view an issue to obtain the email address of the reporter and assignee user of an issue despite the configured email visibility setting being set to hidden.

Solution

Upgrade to Atlassian JIRA version 7.6.8 / 7.7.5 / 7.8.5 / 7.9.3 / 7.10.3 / 7.11.2 or later.

See Also

https://jira.atlassian.com/browse/JRASERVER-67750

Plugin Details

Severity: Medium

ID: 117338

File Name: jira_7_9_3_email_visibility.nasl

Version: 1.2

Type: remote

Family: CGI abuses

Published: 2018/09/07

Modified: 2018/09/17

Dependencies: 45577

Risk Information

Risk Factor: Medium

CVSS Score Source: manual

CVSS Score Rationale: Score based on analysis of the vendor advisory.

CVSSv2

Base Score: 5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSSv3

Base Score: 5.3

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Vulnerability Information

CPE: cpe:/a:atlassian:jira

Required KB Items: installed_sw/Atlassian JIRA, Settings/ParanoidReport

Patch Publication Date: 2018/08/10

Vulnerability Publication Date: 2018/08/10

Reference Information

CVE: CVE-2018-13391

BID: 105165

IAVA: 2018-A-0285