Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-30285: CVE/CVE-2023-30285.md at main · D23K4N/CVE

An issue in Deviniti Issue Sync Synchronization v3.5.2 for Jira allows attackers to obtain the login credentials of a user via a crafted request sent to /rest/synchronizer/1.0/technicalUser.

CVE
Open in Source
#vulnerability#auth#jira

Issue Sync - Synchronization for Jira - CVE-2023-20256

Affected version: prior 3.5.2

Vulnerability Description

For authenticated users Synchronization for Jira allowed to list all technical users with thier password (base64).

Impact

Vulnerability allows to unauthorized access to data stored in other projects on JIRA.

POC

With any account in JIRA (with plugin Issue Sync - Synchronization for Jira vesrion) send GET request to /rest/synchronizer/1.0/technicalUser.

Discovered by

Michał Dziekan (https://www.linkedin.com/in/micha%C5%82-dziekan-8b77b91a2/)

Related news

CVE-2023-26256: CVEs/CVE-2023-26256.md at main · 1nters3ct/CVEs

An unauthenticated path traversal vulnerability affects the "STAGIL Navigation for Jira - Menu & Themes" plugin before 2.0.52 for Jira. By modifying the fileName parameter to the snjFooterNavigationConfig endpoint, it is possible to traverse and read the file system.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE