Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2018-13391

The ProfileLinkUserFormat component of Jira Server before version 7.6.8, from version 7.7.0 before version 7.7.5, from version 7.8.0 before version 7.8.5, from version 7.9.0 before version 7.9.3, from version 7.10.0 before version 7.10.3 and from version 7.11.0 before version 7.11.2 allows remote attackers who can access & view an issue to obtain the email address of the reporter and assignee user of an issue despite the configured email visibility setting being set to hidden.

Published

2018-08-28T12:29:00.230

Last Modified

2024-11-21T03:47:00.780

Status

Modified

Source

[email protected]

Severity

CVSSv3.0: 5.3 (MEDIUM)

CVSSv2 Vector

AV:N/AC:L/Au:N/C:P/I:N/A:N

Access Vector: NETWORK
Access Complexity: LOW
Authentication: NONE
Confidentiality Impact: PARTIAL
Integrity Impact: NONE
Availability Impact: NONE

Exploitability Score

10.0

Impact Score

2.9

Weaknesses

Type: Primary
CWE-200

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	atlassian	jira	< 7.6.8	Yes
Application	atlassian	jira_server	< 7.7.5	Yes
Application	atlassian	jira_server	< 7.8.5	Yes
Application	atlassian	jira_server	< 7.9.3	Yes
Application	atlassian	jira_server	< 7.10.3	Yes
Application	atlassian	jira_server	< 7.11.2	Yes

References

http://www.securityfocus.com/bid/105165 Third Party Advisory, VDB Entry ([email protected])
https://jira.atlassian.com/browse/JRASERVER-67750 Issue Tracking, Vendor Advisory ([email protected])
http://www.securityfocus.com/bid/105165 Third Party Advisory, VDB Entry (af854a3a-2127-422b-91ae-364da2661108)
https://jira.atlassian.com/browse/JRASERVER-67750 Issue Tracking, Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)