CVE-2017-9513 (GCVE-0-2017-9513)
Vulnerability from cvelistv5 – Published: 2018-01-29 19:00 – Updated: 2024-09-17 02:53
VLAI
Summary
Several rest inline action resources of Atlassian Activity Streams before version 6.3.0 allows remote authenticated attackers to watch any Confluence page & receive notifications when comments are added to the watched page, and vote & watch JIRA issues that they do not have access to, although they will not receive notifications for the issue, via missing permission checks.
Severity
No CVSS data available.
CWE
- CWE-284 - Improper Access Control (CWE-284)
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://ecosystem.atlassian.net/browse/STRM-2350 | x_refsource_CONFIRM |
| http://www.securityfocus.com/bid/102869 | vdb-entryx_refsource_BID |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Atlassian | Activity Streams |
Affected:
All versions prior to version 6.3.0
|
Date Public
2017-09-07 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T17:11:01.667Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://ecosystem.atlassian.net/browse/STRM-2350"
},
{
"name": "102869",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/102869"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Activity Streams",
"vendor": "Atlassian",
"versions": [
{
"status": "affected",
"version": "All versions prior to version 6.3.0"
}
]
}
],
"datePublic": "2017-09-07T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Several rest inline action resources of Atlassian Activity Streams before version 6.3.0 allows remote authenticated attackers to watch any Confluence page \u0026 receive notifications when comments are added to the watched page, and vote \u0026 watch JIRA issues that they do not have access to, although they will not receive notifications for the issue, via missing permission checks."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "Improper Access Control (CWE-284)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-02-01T10:57:01.000Z",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://ecosystem.atlassian.net/browse/STRM-2350"
},
{
"name": "102869",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/102869"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@atlassian.com",
"DATE_PUBLIC": "2017-09-07T00:00:00",
"ID": "CVE-2017-9513",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Activity Streams",
"version": {
"version_data": [
{
"version_value": "All versions prior to version 6.3.0"
}
]
}
}
]
},
"vendor_name": "Atlassian"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Several rest inline action resources of Atlassian Activity Streams before version 6.3.0 allows remote authenticated attackers to watch any Confluence page \u0026 receive notifications when comments are added to the watched page, and vote \u0026 watch JIRA issues that they do not have access to, although they will not receive notifications for the issue, via missing permission checks."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Improper Access Control (CWE-284)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://ecosystem.atlassian.net/browse/STRM-2350",
"refsource": "CONFIRM",
"url": "https://ecosystem.atlassian.net/browse/STRM-2350"
},
{
"name": "102869",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/102869"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2017-9513",
"datePublished": "2018-01-29T19:00:00.000Z",
"dateReserved": "2017-06-07T00:00:00.000Z",
"dateUpdated": "2024-09-17T02:53:33.339Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2017-9513",
"date": "2026-05-26",
"epss": "0.00117",
"percentile": "0.29913"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2017-9513\",\"sourceIdentifier\":\"security@atlassian.com\",\"published\":\"2018-01-29T19:29:01.063\",\"lastModified\":\"2024-11-21T03:36:18.327\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Several rest inline action resources of Atlassian Activity Streams before version 6.3.0 allows remote authenticated attackers to watch any Confluence page \u0026 receive notifications when comments are added to the watched page, and vote \u0026 watch JIRA issues that they do not have access to, although they will not receive notifications for the issue, via missing permission checks.\"},{\"lang\":\"es\",\"value\":\"Varios recursos rest de acci\u00f3n inline de Atlassian Activity Streams en versiones anteriores a la 6.3.0 permiten que atacantes remotos autenticados vean cualquier p\u00e1gina Confluence, reciban notificaciones cuando se a\u00f1aden comentarios en la p\u00e1gina vista y voten y vean problemas JIRA a los que no tienen acceso, aunque no recibir\u00e1n notificaciones para el problema, mediante la falta de comprobaciones de permisos.\"}],\"metrics\":{\"cvssMetricV30\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.0\",\"vectorString\":\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N\",\"baseScore\":5.4,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":2.5}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:S/C:P/I:P/A:N\",\"baseScore\":5.5,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"SINGLE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":8.0,\"impactScore\":4.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"security@atlassian.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-284\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-862\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:atlassian:activity_streams:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"6.3.0\",\"matchCriteriaId\":\"0A56A311-72BB-47C6-A488-16BD13ED0CCC\"}]}]}],\"references\":[{\"url\":\"http://www.securityfocus.com/bid/102869\",\"source\":\"security@atlassian.com\",\"tags\":[\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"https://ecosystem.atlassian.net/browse/STRM-2350\",\"source\":\"security@atlassian.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"http://www.securityfocus.com/bid/102869\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"https://ecosystem.atlassian.net/browse/STRM-2350\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]}]}}"
}
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…