CVE-2018-13402 (GCVE-0-2018-13402)
Vulnerability from cvelistv5 – Published: 2018-10-23 14:00 – Updated: 2024-09-16 17:52
VLAI
Summary
Many resources in Atlassian Jira before version 7.6.9, from version 7.7.0 before version 7.7.5, from version 7.8.0 before version 7.8.5, from version 7.9.0 before version 7.9.3, from version 7.10.0 before version 7.10.3, from version 7.11.0 before version 7.11.3, from version 7.12.0 before version 7.12.3, and before version 7.13.1 allow remote attackers to attack users, in some cases be able to obtain a user's Cross-site request forgery (CSRF) token, via a open redirect vulnerability.
Severity
6.1 (Medium)
CWE
- URL Redirection to Untrusted Site ('Open Redirect')
Assigner
References
2 references
| URL | Tags |
|---|---|
| http://www.securityfocus.com/bid/105751 | vdb-entryx_refsource_BID |
| https://jira.atlassian.com/browse/JRASERVER-68140 | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Atlassian | Jira |
Affected:
unspecified , < 7.6.9
(custom)
Affected: 7.7.0 , < unspecified (custom) Affected: unspecified , < 7.7.5 (custom) Affected: 7.8.0 , < unspecified (custom) Affected: unspecified , < 7.8.5 (custom) Affected: 7.9.0 , < unspecified (custom) Affected: unspecified , < 7.9.3 (custom) Affected: 7.10.0 , < unspecified (custom) Affected: unspecified , < 7.10.3 (custom) Affected: 7.11.0 , < unspecified (custom) Affected: unspecified , < 7.11.3 (custom) Affected: 7.12.0 , < unspecified (custom) Affected: unspecified , < 7.12.3 (custom) Affected: 7.13.0 , < unspecified (custom) Affected: unspecified , < 7.13.1 (custom) |
Date Public
2018-10-23 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T09:00:35.161Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "105751",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/105751"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-68140"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Jira",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "7.6.9",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.7.0",
"versionType": "custom"
},
{
"lessThan": "7.7.5",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.8.0",
"versionType": "custom"
},
{
"lessThan": "7.8.5",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.9.0",
"versionType": "custom"
},
{
"lessThan": "7.9.3",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.10.0",
"versionType": "custom"
},
{
"lessThan": "7.10.3",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.11.0",
"versionType": "custom"
},
{
"lessThan": "7.11.3",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.12.0",
"versionType": "custom"
},
{
"lessThan": "7.12.3",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.13.0",
"versionType": "custom"
},
{
"lessThan": "7.13.1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2018-10-23T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Many resources in Atlassian Jira before version 7.6.9, from version 7.7.0 before version 7.7.5, from version 7.8.0 before version 7.8.5, from version 7.9.0 before version 7.9.3, from version 7.10.0 before version 7.10.3, from version 7.11.0 before version 7.11.3, from version 7.12.0 before version 7.12.3, and before version 7.13.1 allow remote attackers to attack users, in some cases be able to obtain a user\u0027s Cross-site request forgery (CSRF) token, via a open redirect vulnerability."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-10-30T09:57:01.000Z",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"name": "105751",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/105751"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-68140"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@atlassian.com",
"DATE_PUBLIC": "2018-10-23T00:00:00",
"ID": "CVE-2018-13402",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Jira",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "7.6.9"
},
{
"version_affected": "\u003e=",
"version_value": "7.7.0"
},
{
"version_affected": "\u003c",
"version_value": "7.7.5"
},
{
"version_affected": "\u003e=",
"version_value": "7.8.0"
},
{
"version_affected": "\u003c",
"version_value": "7.8.5"
},
{
"version_affected": "\u003e=",
"version_value": "7.9.0"
},
{
"version_affected": "\u003c",
"version_value": "7.9.3"
},
{
"version_affected": "\u003e=",
"version_value": "7.10.0"
},
{
"version_affected": "\u003c",
"version_value": "7.10.3"
},
{
"version_affected": "\u003e=",
"version_value": "7.11.0"
},
{
"version_affected": "\u003c",
"version_value": "7.11.3"
},
{
"version_affected": "\u003e=",
"version_value": "7.12.0"
},
{
"version_affected": "\u003c",
"version_value": "7.12.3"
},
{
"version_affected": "\u003e=",
"version_value": "7.13.0"
},
{
"version_affected": "\u003c",
"version_value": "7.13.1"
}
]
}
}
]
},
"vendor_name": "Atlassian"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Many resources in Atlassian Jira before version 7.6.9, from version 7.7.0 before version 7.7.5, from version 7.8.0 before version 7.8.5, from version 7.9.0 before version 7.9.3, from version 7.10.0 before version 7.10.3, from version 7.11.0 before version 7.11.3, from version 7.12.0 before version 7.12.3, and before version 7.13.1 allow remote attackers to attack users, in some cases be able to obtain a user\u0027s Cross-site request forgery (CSRF) token, via a open redirect vulnerability."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "105751",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/105751"
},
{
"name": "https://jira.atlassian.com/browse/JRASERVER-68140",
"refsource": "CONFIRM",
"url": "https://jira.atlassian.com/browse/JRASERVER-68140"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2018-13402",
"datePublished": "2018-10-23T14:00:00.000Z",
"dateReserved": "2018-07-06T00:00:00.000Z",
"dateUpdated": "2024-09-16T17:52:50.468Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2018-13402",
"date": "2026-06-03",
"epss": "0.00087",
"percentile": "0.24915"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2018-13402\",\"sourceIdentifier\":\"security@atlassian.com\",\"published\":\"2018-10-23T13:29:03.117\",\"lastModified\":\"2024-11-21T03:47:02.103\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Many resources in Atlassian Jira before version 7.6.9, from version 7.7.0 before version 7.7.5, from version 7.8.0 before version 7.8.5, from version 7.9.0 before version 7.9.3, from version 7.10.0 before version 7.10.3, from version 7.11.0 before version 7.11.3, from version 7.12.0 before version 7.12.3, and before version 7.13.1 allow remote attackers to attack users, in some cases be able to obtain a user\u0027s Cross-site request forgery (CSRF) token, via a open redirect vulnerability.\"},{\"lang\":\"es\",\"value\":\"Muchos recursos en Atlassian Jira en versiones anteriores a la 7.6.9, desde la versi\u00f3n 7.7.0 anterior a la 7.7.5, desde la versi\u00f3n 7.8.0 anterior a la 7.8.5, desde la versi\u00f3n 7.9.0 anterior a la 7.9.3, desde la versi\u00f3n 7.10.0 anterior a la 7.10.3, desde la versi\u00f3n 7.11.0 anterior a la 7.11.3, desde la versi\u00f3n 7.12.0 anterior a la 7.12.3 y antes de la versi\u00f3n 7.13.1 permiten que atacantes remotos ataquen a usuarios y, en algunos casos, obtengan el token Cross-Site Request Forgery (CSRF) de un usuario a trav\u00e9s de una vulnerabilidad de redirecci\u00f3n abierta.\"}],\"metrics\":{\"cvssMetricV30\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.0\",\"vectorString\":\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\",\"baseScore\":6.1,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":2.7}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:M/Au:N/C:P/I:P/A:N\",\"baseScore\":5.8,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"MEDIUM\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":8.6,\"impactScore\":4.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":true}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-601\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:atlassian:jira:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"7.6.9\",\"matchCriteriaId\":\"25E9DDE1-F33F-4F65-A521-807D4F09C0AE\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"7.7.0\",\"versionEndExcluding\":\"7.7.5\",\"matchCriteriaId\":\"300D871F-7128-41F1-BCC8-BE7C3687741B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"7.8.0\",\"versionEndExcluding\":\"7.8.5\",\"matchCriteriaId\":\"A04E4050-271E-4D23-B988-E02D5A651386\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"7.9.0\",\"versionEndExcluding\":\"7.9.3\",\"matchCriteriaId\":\"2A3C3F9E-5BDD-48F3-B45F-9B9C6D31CAE2\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"7.10.0\",\"versionEndExcluding\":\"7.10.3\",\"matchCriteriaId\":\"C568973F-5079-49ED-928D-7F11C842CF4B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"7.11.0\",\"versionEndExcluding\":\"7.11.3\",\"matchCriteriaId\":\"551A5667-1184-4E3D-9AA7-90C8D18590C3\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"7.12.0\",\"versionEndExcluding\":\"7.12.3\",\"matchCriteriaId\":\"078CC169-BA97-4F89-A9AE-05E21FC867CA\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"7.13.0\",\"versionEndExcluding\":\"7.13.1\",\"matchCriteriaId\":\"C0A81285-A452-4AFE-94BE-3B27014535A3\"}]}]}],\"references\":[{\"url\":\"http://www.securityfocus.com/bid/105751\",\"source\":\"security@atlassian.com\",\"tags\":[\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"https://jira.atlassian.com/browse/JRASERVER-68140\",\"source\":\"security@atlassian.com\",\"tags\":[\"Issue Tracking\",\"Vendor Advisory\"]},{\"url\":\"http://www.securityfocus.com/bid/105751\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"https://jira.atlassian.com/browse/JRASERVER-68140\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Issue Tracking\",\"Vendor Advisory\"]}]}}"
}
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…