Positive Technologies expert Mikhail Klyuchnikov has discovered a vulnerability in Jira, a popular system for bug tracking, interaction with users, and project management. The vulnerability enabled attackers to obtain sensitive information of users. Products by Atlassian, the Jira developer, are used by 170,000 clients in over 190 countries, 83 per cent of those clients are included in the Fortune Global 500. The vulnerability has been fixed.
Mikhail Klyuchnikov, Senior Security Researcher at Positive Technologies said: "Such vulnerabilities help attackers to significantly save time in their attempts to breach systems: they make it possible to determine the presence of an account with a particular login in the system. By bruteforcing various logins, attackers can identify which users are present in the system. If a login exists, the system discloses the user's personal data (in cases where such data is present), and if a login is not found, the system reports it. After bruteforcing the existing logins, the attackers could go on to bruteforce the passwords of each existing user. Without this vulnerability, attackers would have to haphazardly bruteforce the passwords to logins which might not exist in the system. The vulnerability reduces the time hackers would need and decreases the probability of being detected, which, ultimately, makes the target less attractive for attackers. That's why we strongly recommend installing the updates."
This vulnerability (CVE-2020-14181, score 5.3) has a medium severity level. The error occurs because any unauthorized user can access a specific script. This flaw has been found in Jira Server and Data Center. To remediate the vulnerability, the company has released updates. The error has been fixed in product versions 7.13.6, 8.5.7, and 8.12.0.
The wide use of Atlassian products often attracts hackers. In 2019, Positive Technologies experts found attempted mass exploitation of a critical vulnerability in Confluence.
