CVE-2020-36286

Category: [Info Disclosure]

module name: check_cve_2020_36286

url: /rest/api/2/search?jql=assignee%20in%20(membersOf(\"jira-users\"))

[CG] So far i haven't found a vulnerable instance but this request absolutely works if you are authenticated

Example Run

- Running Vuln Checks
[INFO] Running single module: check_cve_2020_36286

INFO: IN DEVELOPMENT Checking for Unauthenticated Assignee in membersOf
[Testing URL]: https://JIRASERVERjira/rest/api/2/search?jql=assignee%20in%20(membersOf("jira-users"))
- No unauthenticated issues detected at: https://JIRASERVER/jira/rest/api/2/search?jql=assignee%20in%20(membersOf("jira-users"))
- HTTP Status Code: 400

References:

https://jira.atlassian.com/browse/JRASERVER-72272

Description The membersOf JQL search function in Jira Server and Data Center before version 8.5.13, from version 8.6.0 before version 8.13.5, and from version 8.14.0 before version 8.15.1 allows remote anonymous attackers to determine if a group exists & members of groups if they are assigned to a publicly visible issue field.

Affected versions:

• version < 8.5.13
• 8.6.0 ≤ version < 8.13.5
• 8.14.0 ≤ version < 8.15.1

Fixed versions:

• 8.5.13
• 8.13.5
• 8.15.1