Headline
CVE-2020-29453: [JRASERVER-72014] Pre-Authorization Limited Arbitrary File Read in Jira Server - CVE-2020-29453
The CachingResourceDownloadRewriteRule class in Jira Server and Jira Data Center before version 8.5.11, from 8.6.0 before 8.13.3, and from 8.14.0 before 8.15.0 allowed unauthenticated remote attackers to read arbitrary files within WEB-INF and META-INF directories via an incorrect path access check.
The CachingResourceDownloadRewriteRule class in Jira Server and Jira Data Center allowed unauthenticated remote attackers to read arbitrary files within WEB-INF and META-INF directories via an incorrect path access check.
Affected versions:
- version < 8.5.11
- 8.6.0 ≤ version < 8.13.3
- 8.14.0 ≤ version < 8.15.0
Fixed versions:
- 8.5.11
- 8.13.3
- 8.15.0
This vulnerability is attributed to Amit Laish, a security researcher from GE Digital.