CVE-2020-36289

MEDIUM NUCLEI

Atlassian Data Center < 8.5.13 - Incorrect Authorization

Title source: rule

Exploitation Summary

EIP tracks 1 public exploit for CVE-2020-36289. PoCs published by milo2012. A Nuclei detection template is also available.

AI-analyzed exploit summary The repository contains a Python script that enumerates usernames in Atlassian Jira Server/Data Center by exploiting an information disclosure vulnerability in the QueryComponentRendererValue!Default.jspa endpoint. It uses multithreading to check a list of usernames against a target URL.

Description

Affected versions of Atlassian Jira Server and Data Center allow an unauthenticated user to enumerate users via an Information Disclosure vulnerability in the QueryComponentRendererValue!Default.jspa endpoint. The affected versions are before version 8.5.13, from version 8.6.0 before 8.13.5, and from version 8.14.0 before 8.15.1.

Exploits (1)

gitlab SCANNER

by milo2012 · poc

https://gitlab.com/milo2012/cve-2020-36289

View Code ZIP pw:eip

The repository contains a Python script that enumerates usernames in Atlassian Jira Server/Data Center by exploiting an information disclosure vulnerability in the QueryComponentRendererValue!Default.jspa endpoint. It uses multithreading to check a list of usernames against a target URL.

Classification

Scanner 95%

Attack Type

Info Leak

Complexity

Trivial

Reliability

Reliable

Target: Atlassian Jira Server and Data Center (versions < 8.5.15, 8.6.0 ≤ version < 8.13.7, 8.14.0 ≤ version < 8.17.0)

No auth needed

Prerequisites: list of usernames to test · target URL

MITRE ATT&CK

T1005 - Data from Local System T1552 - Unsecured Credentials

devstral-2 · analyzed Feb 23, 2026 Full analysis →

Nuclei Templates (1)

Jira Server and Data Center - Information Disclosure

MEDIUMby dhiyaneshDk

Shodan: http.component:"Atlassian Jira" || http.component:"atlassian jira"

References (1)

Core 1

Core References

Issue Tracking, Permissions Required, Vendor Advisory x_refsource_misc

https://jira.atlassian.com/browse/JRASERVER-71559

Scores

CVSS v3 5.3

EPSS 0.9921

EPSS Percentile 99.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-863

Status published

Products (4)

atlassian/data_center < 8.5.13

atlassian/jira < 8.5.13

atlassian/jira_data_center 8.6.0 - 8.13.5

atlassian/jira_server 8.6.0 - 8.13.5

Published May 12, 2021

Tracked Since Feb 18, 2026