CVE-2020-36232
MEDIUMatlassian-gadgets < 4.2.37, 4.3.0-4.3.13, 4.3.2.0-4.3.2.3, 4.4.0-4.4.11, 5.0.0 SSRF via MessageBundleWhiteList
Title source: llmDescription
The MessageBundleWhiteList class of atlassian-gadgets before version 4.2.37, from version 4.3.0 before 4.3.14, from version 4.3.2.0 before 4.3.2.4, from version 4.4.0 before 4.4.12, and from version 5.0.0 before 5.0.1 allowed unexpected DNS lookups and requests to arbitrary services as it incorrectly obtained application base url information from the executing http request which could be attacker controlled.
References (1)
Core 1
Core References
Issue Tracking, Patch, Vendor Advisory x_refsource_misc
https://jira.atlassian.com/browse/JRASERVER-72025
Scores
CVSS v3
5.0
EPSS
0.0010
EPSS Percentile
27.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
Details
CWE
CWE-918
Status
published
Products (1)
atlassian/atlassian-gadgets
< 4.2.37
Published
Feb 22, 2021
Tracked Since
Feb 18, 2026