CVE-2020-36287

MEDIUM

Atlassian Jira Server/Data Center <8.13.5, 8.14.0-8.15.1 - Unauthenticated Info Disclosure

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2020-36287. PoCs published by f4rber.

AI-analyzed exploit summary The repository contains a Python script that scans for CVE-2020-36287 by brute-forcing gadget IDs in Atlassian Jira's dashboard gadgets preference resource. It checks for missing permissions that allow anonymous access to gadget settings.

Description

The dashboard gadgets preference resource of the Atlassian gadgets plugin used in Jira Server and Jira Data Center before version 8.13.5, and from version 8.14.0 before version 8.15.1 allows remote anonymous attackers to obtain gadget related settings via a missing permissions check.

Exploits (1)

nomisec SCANNER 3 stars

by f4rber · poc

https://github.com/f4rber/CVE-2020-36287

View Code ZIP pw:eip

The repository contains a Python script that scans for CVE-2020-36287 by brute-forcing gadget IDs in Atlassian Jira's dashboard gadgets preference resource. It checks for missing permissions that allow anonymous access to gadget settings.

Classification

Scanner 90%

Attack Type

Info Leak

Complexity

Trivial

Reliability

Reliable

Target: Atlassian Jira Server and Data Center (versions before 8.13.5, 8.14.0 to 8.15.0)

No auth needed

Prerequisites: Network access to the target Jira instance

MITRE ATT&CK

T1592 - Gather Victim Host Information

devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (1)

Core 1

Core References

Vendor Advisory x_refsource_misc

https://jira.atlassian.com/browse/JRASERVER-72258

Scores

CVSS v3 5.3

EPSS 0.6266

EPSS Percentile 98.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Details

CWE

CWE-862 CWE-863

Status published

Products (4)

atlassian/data_center < 8.13.5

atlassian/jira < 8.13.5

atlassian/jira_data_center 8.14.0 - 8.15.1

atlassian/jira_server 8.14.0 - 8.15.1

Published Apr 09, 2021

Tracked Since Feb 18, 2026