CVE-2017-18101 - OpenCVE

Various administrative external system import resources in Atlassian JIRA Server (including JIRA Core) before version 7.6.5, from version 7.7.0 before version 7.7.3, from version 7.8.0 before version 7.8.3 and before version 7.9.0 allow remote attackers to run import operations and to determine if an internal service exists through missing permission checks.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact None

AV:N/AC:L/Au:N/C:P/I:P/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Atlassian	Jira Jira Server

Configuration 1 [-]

OR	cpe:2.3:a:atlassian:jira::::::::
	cpe:2.3:a:atlassian:jira_server::::::::
	cpe:2.3:a:atlassian:jira_server::::::::

No data.

References

Link	Providers
http://www.securityfocus.com/bid/103730
https://jira.atlassian.com/browse/JRASERVER-67107

History

No history.

MITRE

Status: PUBLISHED

Assigner: atlassian

Published: 2018-04-10T13:00:00Z

Updated: 2024-09-16T17:19:13.139Z

Reserved: 2018-02-01T00:00:00

Link: CVE-2017-18101

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2018-04-10T13:29:00.383

Modified: 2022-04-22T20:40:12.933

Link: CVE-2017-18101

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "Jira", "vendor": "Atlassian", "versions": [{"lessThan": "7.6.5", "status": "affected", "version": "unspecified", "versionType": "custom"}, {"lessThan": "unspecified", "status": "affected", "version": "7.7.0", "versionType": "custom"}, {"lessThan": "7.7.3", "status": "affected", "version": "unspecified", "versionType": "custom"}, {"lessThan": "unspecified", "status": "affected", "version": "7.8.0", "versionType": "custom"}, {"lessThan": "7.8.3", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "datePublic": "2018-04-10T00:00:00", "descriptions": [{"lang": "en", "value": "Various administrative external system import resources in Atlassian JIRA Server (including JIRA Core) before version 7.6.5, from version 7.7.0 before version 7.7.3, from version 7.8.0 before version 7.8.3 and before version 7.9.0 allow remote attackers to run import operations and to determine if an internal service exists through missing permission checks."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-284", "description": "Improper Access Control (CWE-284)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2018-04-12T09:57:02", "orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66", "shortName": "atlassian"}, "references": [{"name": "103730", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/103730"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://jira.atlassian.com/browse/JRASERVER-67107"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@atlassian.com", "DATE_PUBLIC": "2018-04-10T00:00:00", "ID": "CVE-2017-18101", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Jira", "version": {"version_data": [{"version_affected": "<", "version_value": "7.6.5"}, {"version_affected": ">=", "version_value": "7.7.0"}, {"version_affected": "<", "version_value": "7.7.3"}, {"version_affected": ">=", "version_value": "7.8.0"}, {"version_affected": "<", "version_value": "7.8.3"}]}}]}, "vendor_name": "Atlassian"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Various administrative external system import resources in Atlassian JIRA Server (including JIRA Core) before version 7.6.5, from version 7.7.0 before version 7.7.3, from version 7.8.0 before version 7.8.3 and before version 7.9.0 allow remote attackers to run import operations and to determine if an internal service exists through missing permission checks."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Improper Access Control (CWE-284)"}]}]}, "references": {"reference_data": [{"name": "103730", "refsource": "BID", "url": "http://www.securityfocus.com/bid/103730"}, {"name": "https://jira.atlassian.com/browse/JRASERVER-67107", "refsource": "CONFIRM", "url": "https://jira.atlassian.com/browse/JRASERVER-67107"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T21:13:48.218Z"}, "title": "CVE Program Container", "references": [{"name": "103730", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/103730"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://jira.atlassian.com/browse/JRASERVER-67107"}]}]}, "cveMetadata": {"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66", "assignerShortName": "atlassian", "cveId": "CVE-2017-18101", "datePublished": "2018-04-10T13:00:00Z", "dateReserved": "2018-02-01T00:00:00", "dateUpdated": "2024-09-16T17:19:13.139Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:atlassian:jira:*:*:*:*:*:*:*:*", "matchCriteriaId": "3517B751-F490-40D0-9612-F64511DA1D81", "versionEndExcluding": "7.6.5", "vulnerable": true}, {"criteria": "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "D0281160-9946-46A0-A6FC-B63971CFDEA0", "versionEndExcluding": "7.7.3", "versionStartIncluding": "7.7.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "DBBB1C9A-EB14-4C67-8077-D97CEE12525F", "versionEndExcluding": "7.8.3", "versionStartIncluding": "7.8.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Various administrative external system import resources in Atlassian JIRA Server (including JIRA Core) before version 7.6.5, from version 7.7.0 before version 7.7.3, from version 7.8.0 before version 7.8.3 and before version 7.9.0 allow remote attackers to run import operations and to determine if an internal service exists through missing permission checks."}, {"lang": "es", "value": "Varos recursos administrativos de importaci\u00f3n de sistema externo en Atlassian JIRA Server (incluyendo JIRA Core), en versiones anteriores a la 7.6.5, de la versi\u00f3n 7.7.0 antes de la 7.7.3, de la versi\u00f3n 7.8.0 anterior a la 7.8.3 y antes de la versi\u00f3n 7.9.0, permite que atacantes remotos ejecuten operaciones de importaci\u00f3n y determinen si existe un servicio interno a trav\u00e9s de la falta de comprobaci\u00f3n de permisos."}], "id": "CVE-2017-18101", "lastModified": "2022-04-22T20:40:12.933", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 6.4, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 2.5, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2018-04-10T13:29:00.383", "references": [{"source": "security@atlassian.com", "tags": ["Broken Link"], "url": "http://www.securityfocus.com/bid/103730"}, {"source": "security@atlassian.com", "tags": ["Vendor Advisory"], "url": "https://jira.atlassian.com/browse/JRASERVER-67107"}], "sourceIdentifier": "security@atlassian.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-284"}], "source": "security@atlassian.com", "type": "Secondary"}]}