One of the most Popular Developer Tools has a Critical Vulnerability that Enables an Attacker to Acquire Users Information

A new vulnerability that enables an attacker to acquire delicate consumer information has been found in Jira which is a well-liked system for bug tracking, interacting with customers and undertaking management.

The information disclosure vulnerability, tracked as CVE-2020-14181, has a CVSS rating of 5.three and was first discovered by Constructive Technologies expert Mikhail Klyuchnikov. The vulnerability impacts Jira Server and Data Center and occurs because any unauthorized user can entry a specific script.

Jira’s developer Atlassian is known for making in style products which might be utilized by 170,000 purchasers in over 190 countries and 83 % of its customers are a part of the Fortune Global 500.

Jira vulnerability

A senior security researcher at Positive Applied sciences Mikhail Klyuchnikov offered additional insight on the vulnerability he discovered in a press launch, saying:

“Such vulnerabilities help attackers to significantly save time in their attempts to breach methods: they make it potential to find out the presence of an account with a selected login in the system. By brute-forcing varied logins, attackers can establish which customers are current within the system. If a login exists, the system discloses the user’s private data (in instances the place such data is present), and if a login is not discovered, the system reports it.

“After bruteforcing the existing logins, the attackers might go on to bruteforce the passwords of every current user. With out this vulnerability, attackers would have to haphazardly bruteforce the passwords to logins which could not exist within the system. The vulnerability reduces the time hackers would wish and decreases the chance of being detected, which, finally, makes the goal much less enticing for attackers. That is why we strongly recommend installing the updates.”

Fortunately although Atlassian has patched the vulnerability in product versions 7.13.6, 8.5.7 and 8.12.0 and prospects should set up it instantly to stop falling sufferer to any potential assaults exploiting it.