Positive Technologies expert Mikhail Klyuchnikov revealed vulnerability in Jira Components, a popular bug tracking, user experience, and project management system. The vulnerability allowed obtaining confidential information about system users.
“Such vulnerabilities significantly save the attacker's time: they make it possible to determine the presence of an account with a particular login in the system,” said Mikhail Klyuchnikov. – By enumerating different logins, it turns out which users are present in the system. If there is no login, the system will inform about it, if there is, it will also give out personal data (if they are entered into the system). After enumerating existing logins, the attacker could proceed to brute-force passwords for each existing user. In the absence of this vulnerability, an attacker has to blindly brute force passwords to logins that may not be in the system. The vulnerability reduces the hacker's effort and reduces the likelihood of an attack being detected, which ultimately makes the target more attractive to the hacker. And so we strongly recommend updating. "
The flaw received the identifier CVE-2020-14181 and 5.3 points on the CVSS vulnerability rating scale, which corresponds to the medium severity level. The reason for the error was related to the ability to access a specific script by any unauthorized user. The vulnerability affected Jira Server and Data Center. The developers have already posted updates, and the bug has been fixed in versions 7.13.6, 8.5.7 and 8.12.0.