CVE-2020-36232
Last modified
CVE-2020-36232 is a medium-severity vulnerability rated 5/10 on the CVSS scale. The MessageBundleWhiteList class of atlassian-gadgets before version 4.2.37, from version 4.3.0 before 4.3.14, from version 4.3.2.0 before 4.3.2.4, from version 4.4.0 before 4.4.12, and from version 5.0.0 before 5.0.1 allowed unexpected DNS lookups and requests to arbitrary services as it incorrectly obtained application base url information from the executing http request which could be attacker controlled.. EPSS estimates a 0.97% chance of exploitation in the next 30 days.
Description
The MessageBundleWhiteList class of atlassian-gadgets before version 4.2.37, from version 4.3.0 before 4.3.14, from version 4.3.2.0 before 4.3.2.4, from version 4.4.0 before 4.4.12, and from version 5.0.0 before 5.0.1 allowed unexpected DNS lookups and requests to arbitrary services as it incorrectly obtained application base url information from the executing http request which could be attacker controlled.
Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Atlassian | Atlassian-Gadgets | < 4.2.37 |
| Atlassian | Atlassian-Gadgets | >= 4.3.0, < 4.3.14 |
| Atlassian | Atlassian-Gadgets | >= 4.3.2.0, < 4.3.2.4 |
| Atlassian | Atlassian-Gadgets | >= 4.4.0, < 4.4.12 |
| Atlassian | Atlassian-Gadgets | >= 5.0.0, < 5.0.1 |
References
- https://jira.atlassian.com/browse/JRASERVER-72025Issue Tracking, Patch, Vendor Advisory
- https://jira.atlassian.com/browse/JRASERVER-72025Issue Tracking, Patch, Vendor Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2020-36232?
How severe is CVE-2020-36232?
How do I fix CVE-2020-36232?
Are you affected by CVE-2020-36232?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST