Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2020-36287

CVE-2020-36287: Atlassian Jira Information Disclosure Flaw

CVE-2020-36287 is an information disclosure vulnerability in Atlassian Jira Data Center that allows attackers to obtain gadget settings through a permissions bypass. This article covers technical details, affected versions, impact, and mitigation strategies.

Published:

CVE-2020-36287 Overview

CVE-2020-36287 is an information disclosure vulnerability in the Atlassian gadgets plugin used in Jira Server and Jira Data Center. The dashboard gadgets preference resource lacks proper permissions checks, allowing remote anonymous attackers to obtain gadget-related settings without authentication. This vulnerability affects versions before 8.13.5 and versions from 8.14.0 before 8.15.1.

Critical Impact

Remote anonymous attackers can access sensitive gadget configuration settings without authentication, potentially exposing internal system information and configurations.

Affected Products

  • Atlassian Jira Server (versions before 8.13.5 and from 8.14.0 before 8.15.1)
  • Atlassian Jira Data Center (versions before 8.13.5 and from 8.14.0 before 8.15.1)
  • Atlassian Data Center (affected versions)

Discovery Timeline

  • 2021-04-09 - CVE-2020-36287 published to NVD
  • 2024-11-21 - Last updated in NVD database

Technical Details for CVE-2020-36287

Vulnerability Analysis

This vulnerability stems from improper access control (CWE-862: Missing Authorization and CWE-863: Incorrect Authorization) in the Atlassian gadgets plugin. The dashboard gadgets preference resource endpoint fails to validate user permissions before returning gadget-related configuration data. This allows unauthenticated attackers to query the endpoint and retrieve sensitive information that should only be accessible to authenticated users with appropriate privileges.

The attack is network-accessible and requires no user interaction or prior authentication, making it particularly accessible to attackers. While the vulnerability only impacts confidentiality without affecting integrity or availability, the exposed configuration data could provide valuable reconnaissance information for more sophisticated attacks against the Jira deployment.

Root Cause

The root cause is a missing authorization check in the dashboard gadgets preference resource handler. When processing requests to retrieve gadget preferences, the code fails to verify that the requesting user has appropriate permissions to access the requested data. This is a classic broken access control vulnerability where authorization enforcement is simply absent from the request processing flow.

Attack Vector

The attack can be executed remotely over the network without any authentication credentials. An attacker simply needs network access to the vulnerable Jira Server or Data Center instance to query the gadgets preference resource endpoint. The attack requires no special privileges, no user interaction, and has low complexity to execute. The attacker sends HTTP requests to the vulnerable endpoint, and the server responds with gadget configuration data that should be protected.

Detection Methods for CVE-2020-36287

Indicators of Compromise

  • Unusual HTTP requests to dashboard gadget preference endpoints from unauthenticated sources
  • Spike in anonymous API requests to Jira gadget-related resources
  • Access logs showing repeated queries to gadget preference endpoints from external IP addresses
  • Network traffic patterns indicating enumeration of gadget configurations

Detection Strategies

  • Monitor web application logs for unauthenticated access attempts to /rest/gadget/ or similar gadget-related API endpoints
  • Implement web application firewall (WAF) rules to detect and alert on suspicious access patterns to gadget preference resources
  • Configure Jira access logging to track anonymous requests to sensitive configuration endpoints
  • Deploy network intrusion detection systems (NIDS) with signatures for known exploitation patterns

Monitoring Recommendations

  • Enable detailed access logging on Jira Server and Data Center instances to capture all requests to gadget preference endpoints
  • Set up alerting for anomalous volumes of anonymous API requests
  • Regularly review access logs for patterns indicating reconnaissance or information gathering activities
  • Integrate Jira logs with SIEM solutions for centralized monitoring and correlation

How to Mitigate CVE-2020-36287

Immediate Actions Required

  • Upgrade Jira Server to version 8.13.5 or later (for versions before 8.14.0)
  • Upgrade Jira Server to version 8.15.1 or later (for versions 8.14.0 through 8.15.0)
  • Apply the same version upgrades for Jira Data Center deployments
  • Review access logs for any indication of prior exploitation

Patch Information

Atlassian has released patches addressing this vulnerability in Jira Server and Jira Data Center versions 8.13.5 and 8.15.1. Organizations should upgrade to these versions or later to remediate the vulnerability. For detailed patch information and upgrade instructions, refer to the Atlassian Bug Report JRASERVER-72258.

Workarounds

  • Implement network-level restrictions to limit access to Jira instances from trusted networks only
  • Configure reverse proxy or WAF rules to block unauthenticated access to gadget preference endpoints
  • Consider temporarily disabling the Atlassian gadgets plugin if gadget functionality is not critical to operations
  • Implement IP allowlisting for access to Jira management and API endpoints

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne