We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.

Please see our statement on Data Privacy.

Crisp.chat (Helpdesk and Chat)

Ok

THREATINT
PUBLISHED

CVE-2020-36239



Assigneratlassian
Reserved2021-01-27
Published2021-07-29
Updated2024-10-17

Description

Jira Data Center, Jira Core Data Center, Jira Software Data Center from version 6.3.0 before 8.5.16, from 8.6.0 before 8.13.8, from 8.14.0 before 8.17.0 and Jira Service Management Data Center from version 2.0.2 before 4.5.16, from version 4.6.0 before 4.13.8, and from version 4.14.0 before 4.17.0 exposed a Ehcache RMI network service which attackers, who can connect to the service, on port 40001 and potentially 40011[0][1], could execute arbitrary code of their choice in Jira through deserialization due to a missing authentication vulnerability. While Atlassian strongly suggests restricting access to the Ehcache ports to only Data Center instances, fixed versions of Jira will now require a shared secret in order to allow access to the Ehcache service. [0] In Jira Data Center, Jira Core Data Center, and Jira Software Data Center versions prior to 7.13.1, the Ehcache object port can be randomly allocated. [1] In Jira Service Management Data Center versions prior to 3.16.1, the Ehcache object port can be randomly allocated.

Product status

6.3.0 before unspecified
affected

Any version before 8.5.16
affected

8.6.0 before unspecified
affected

Any version before 8.13.8
affected

8.14.0 before unspecified
affected

Any version before 8.17.0
affected

6.3.0 before unspecified
affected

Any version before 8.5.16
affected

8.6.0 before unspecified
affected

Any version before 8.13.8
affected

8.14.0 before unspecified
affected

Any version before 8.17.0
affected

6.3.0 before unspecified
affected

Any version before 8.5.16
affected

8.6.0 before unspecified
affected

Any version before 8.13.8
affected

8.14.0 before unspecified
affected

Any version before 8.17.0
affected

2.0.2 before unspecified
affected

Any version before 4.5.16
affected

4.6.0 before unspecified
affected

Any version before 4.13.8
affected

4.14.0 before unspecified
affected

Any version before 4.17.0
affected

References

https://jira.atlassian.com/browse/JSDSERVER-8454

https://jira.atlassian.com/browse/JRASERVER-72566

https://confluence.atlassian.com/adminjiraserver/jira-data-center-and-jira-service-management-data-center-security-advisory-2021-07-21-1063571388.html

cve.org CVE-2020-36239

nvd.nist.gov CVE-2020-36239

Download JSON

Share this page
https://cve.threatint.com/CVE/CVE-2020-36239
Subscribe to our newsletter to learn more about our work.