CVE-2020-36238
MEDIUMJira Server and Data Center < 8.5.13 and 8.6.0-8.13.5 - Unauthenticated Username Enumeration via Render API
Title source: llmDescription
The /rest/api/1.0/render resource in Jira Server and Data Center before version 8.5.13, from version 8.6.0 before version 8.13.5, and from version 8.14.0 before version 8.15.1 allows remote anonymous attackers to determine if a username is valid or not via a missing permissions check.
References (1)
Core 1
Core References
Patch, Vendor Advisory x_refsource_misc
https://jira.atlassian.com/browse/JRASERVER-72249
Scores
CVSS v3
5.3
EPSS
0.0020
EPSS Percentile
42.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Details
CWE
CWE-862
CWE-863
Status
published
Products (4)
atlassian/data_center
< 8.5.13
atlassian/jira
< 8.5.13
atlassian/jira_data_center
8.6.0 - 8.13.5
atlassian/jira_server
8.6.0 - 8.13.5
Published
Apr 01, 2021
Tracked Since
Feb 18, 2026