Vulnerability Details : CVE-2022-36800
Affected versions of Atlassian Jira Service Management Server and Data Center allow remote attackers without the "Browse Users" permission to view groups via an Information Disclosure vulnerability in the browsegroups.action endpoint. The affected versions are before version 4.22.2.
Vulnerability category: Information leak
Products affected by CVE-2022-36800
- cpe:2.3:a:atlassian:jira_service_management:*:*:*:*:server:*:*:*
- cpe:2.3:a:atlassian:jira_service_management:*:*:*:*:data_center:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2022-36800
0.08%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 33 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2022-36800
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
4.3
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N |
2.8
|
1.4
|
NIST |
CWE ids for CVE-2022-36800
-
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.Assigned by: nvd@nist.gov (Primary)
References for CVE-2022-36800
-
https://jira.atlassian.com/browse/JSDSERVER-11900
[JSDSERVER-11900] User without "Browse Users" permission can view groups - CVE-2022-36800 - Create and track feature requests for Atlassian products.Issue Tracking;Vendor Advisory
Jump to