Vulnerability-Lookup

CNVD-2018-17523

Vulnerability from cnvd - Published: 2018-09-05

Title

Atlassian Jira Webhooks组件信息泄露漏洞

Description

Atlassian Jira是澳大利亚Atlassian公司的一套缺陷跟踪管理系统。该系统主要用于对工作中各类问题、缺陷进行跟踪管理。Webhooks是其中的一个为系统提供实时信息的组件。 Atlassian Jira 7.6.7之前版本和7.7.0版本至7.11.0版本（不包含7.11.0版本）中的Webhooks组件存在信息泄露漏洞。远程攻击者可通过观察或拦截Webhook事件利用该漏洞获取信息。

Severity

中

Patch Name

Atlassian Jira Webhooks组件信息泄露漏洞的补丁

Patch Description

Formal description

厂商已发布了漏洞修复程序，请及时关注更新： https://jira.atlassian.com/browse/JRASERVER-59980

Reference

https://jira.atlassian.com/browse/JRASERVER-59980

Impacted products

Name
['Atlassian JIRA <7.6.7', 'Atlassian JIRA >=7.7.0，<7.11.0']

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2017-18104"
    }
  },
  "description": "Atlassian Jira\u662f\u6fb3\u5927\u5229\u4e9aAtlassian\u516c\u53f8\u7684\u4e00\u5957\u7f3a\u9677\u8ddf\u8e2a\u7ba1\u7406\u7cfb\u7edf\u3002\u8be5\u7cfb\u7edf\u4e3b\u8981\u7528\u4e8e\u5bf9\u5de5\u4f5c\u4e2d\u5404\u7c7b\u95ee\u9898\u3001\u7f3a\u9677\u8fdb\u884c\u8ddf\u8e2a\u7ba1\u7406\u3002Webhooks\u662f\u5176\u4e2d\u7684\u4e00\u4e2a\u4e3a\u7cfb\u7edf\u63d0\u4f9b\u5b9e\u65f6\u4fe1\u606f\u7684\u7ec4\u4ef6\u3002\r\n\r\nAtlassian Jira 7.6.7\u4e4b\u524d\u7248\u672c\u548c7.7.0\u7248\u672c\u81f37.11.0\u7248\u672c\uff08\u4e0d\u5305\u542b7.11.0\u7248\u672c\uff09\u4e2d\u7684Webhooks\u7ec4\u4ef6\u5b58\u5728\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\u3002\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u901a\u8fc7\u89c2\u5bdf\u6216\u62e6\u622aWebhook\u4e8b\u4ef6\u5229\u7528\u8be5\u6f0f\u6d1e\u83b7\u53d6\u4fe1\u606f\u3002",
  "discovererName": "Yuki Okamoto",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://jira.atlassian.com/browse/JRASERVER-59980",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2018-17523",
  "openTime": "2018-09-05",
  "patchDescription": "Atlassian Jira\u662f\u6fb3\u5927\u5229\u4e9aAtlassian\u516c\u53f8\u7684\u4e00\u5957\u7f3a\u9677\u8ddf\u8e2a\u7ba1\u7406\u7cfb\u7edf\u3002\u8be5\u7cfb\u7edf\u4e3b\u8981\u7528\u4e8e\u5bf9\u5de5\u4f5c\u4e2d\u5404\u7c7b\u95ee\u9898\u3001\u7f3a\u9677\u8fdb\u884c\u8ddf\u8e2a\u7ba1\u7406\u3002Webhooks\u662f\u5176\u4e2d\u7684\u4e00\u4e2a\u4e3a\u7cfb\u7edf\u63d0\u4f9b\u5b9e\u65f6\u4fe1\u606f\u7684\u7ec4\u4ef6\u3002\r\n\r\nAtlassian Jira 7.6.7\u4e4b\u524d\u7248\u672c\u548c7.7.0\u7248\u672c\u81f37.11.0\u7248\u672c\uff08\u4e0d\u5305\u542b7.11.0\u7248\u672c\uff09\u4e2d\u7684Webhooks\u7ec4\u4ef6\u5b58\u5728\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\u3002\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u901a\u8fc7\u89c2\u5bdf\u6216\u62e6\u622aWebhook\u4e8b\u4ef6\u5229\u7528\u8be5\u6f0f\u6d1e\u83b7\u53d6\u4fe1\u606f\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Atlassian Jira Webhooks\u7ec4\u4ef6\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": [
      "Atlassian JIRA \u003c7.6.7",
      "Atlassian JIRA \u003e=7.7.0\uff0c\u003c7.11.0"
    ]
  },
  "referenceLink": "https://jira.atlassian.com/browse/JRASERVER-59980",
  "serverity": "\u4e2d",
  "submitTime": "2018-07-26",
  "title": "Atlassian Jira Webhooks\u7ec4\u4ef6\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e"
}

CVE-2017-18104 (GCVE-0-2017-18104)

Vulnerability from cvelistv5 – Published: 2018-07-24 13:00 – Updated: 2024-09-16 19:46

Summary

The Webhooks component of Atlassian Jira before version 7.6.7 and from version 7.7.0 before version 7.11.0 allows remote attackers who are able to observe or otherwise intercept webhook events to learn information about changes in issues that should not be sent because they are not contained within the results of a specified JQL query.

Severity

No CVSS data available.

CWE

Information Exposure

Assigner

atlassian

References

1 reference

URL	Tags
https://jira.atlassian.com/browse/JRASERVER-59980	x_refsource_CONFIRM

Impacted products

1 product

Vendor	Product	Version
Atlassian	Jira	Affected: unspecified , < 7.6.7 (custom) Affected: 7.7.0 , < unspecified (custom) Affected: unspecified , < 7.11.0 (custom)

Date Public

2018-07-24 00:00

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T21:13:48.219Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://jira.atlassian.com/browse/JRASERVER-59980"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Jira",
          "vendor": "Atlassian",
          "versions": [
            {
              "lessThan": "7.6.7",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            },
            {
              "lessThan": "unspecified",
              "status": "affected",
              "version": "7.7.0",
              "versionType": "custom"
            },
            {
              "lessThan": "7.11.0",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        }
      ],
      "datePublic": "2018-07-24T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "The Webhooks component of Atlassian Jira before version 7.6.7 and from version 7.7.0 before version 7.11.0 allows remote attackers who are able to observe or otherwise intercept webhook events to learn information about changes in issues that should not be sent because they are not contained within the results of a specified JQL query."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Information Exposure",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2018-07-24T12:57:01.000Z",
        "orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
        "shortName": "atlassian"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://jira.atlassian.com/browse/JRASERVER-59980"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security@atlassian.com",
          "DATE_PUBLIC": "2018-07-24T00:00:00",
          "ID": "CVE-2017-18104",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Jira",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c",
                            "version_value": "7.6.7"
                          },
                          {
                            "version_affected": "\u003e=",
                            "version_value": "7.7.0"
                          },
                          {
                            "version_affected": "\u003c",
                            "version_value": "7.11.0"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Atlassian"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "The Webhooks component of Atlassian Jira before version 7.6.7 and from version 7.7.0 before version 7.11.0 allows remote attackers who are able to observe or otherwise intercept webhook events to learn information about changes in issues that should not be sent because they are not contained within the results of a specified JQL query."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Information Exposure"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://jira.atlassian.com/browse/JRASERVER-59980",
              "refsource": "CONFIRM",
              "url": "https://jira.atlassian.com/browse/JRASERVER-59980"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
    "assignerShortName": "atlassian",
    "cveId": "CVE-2017-18104",
    "datePublished": "2018-07-24T13:00:00.000Z",
    "dateReserved": "2018-02-01T00:00:00.000Z",
    "dateUpdated": "2024-09-16T19:46:59.715Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2018-17523

CVE-2017-18104 (GCVE-0-2017-18104)

Tags

Sightings

Nomenclature