CVE-2020-29453

The CachingResourceDownloadRewriteRule class in Jira Server and Jira Data Center before version 8.5.11, from 8.6.0 before 8.13.3, and from 8.14.0 before 8.15.0 allowed unauthenticated remote attackers to read arbitrary files within WEB-INF and META-INF directories via an incorrect path access check.

Published: Feb 22, 2021
Updated: Apr 14, 2023
CVE: CVE-2020-29453
Severity: Medium
Exploit:

CVSS v3:

Severity: Medium
Score: 5.3
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CVSS v2:

Severity: Medium
Score: 5
AV:N/AC:L/Au:N/C:P/I:N/A:N

CWEs:

CWE-22

OWASP TOP 10:

A5 - Broken Access Control

Affected Software
References

Software	From	Fixed in
atlassian / data_center	8.6.0	8.13.3
atlassian / data_center	8.5.10	8.5.11
atlassian / jira_server	8.5.10	8.5.11
atlassian / jira_server	8.6.0	8.13.3
atlassian / jira_server	8.14.0	8.15.0
atlassian / jira_data_center	8.14.0	8.15.0

https://jira.atlassian.com/browse/JRASERVER-72014

Vulnerability Database

289,784

CVE-2020-29453