Vulnerabilities > CVE-2020-36232 - Server-Side Request Forgery (SSRF) vulnerability in Atlassian Atlassian-Gadgets

CVSS 4.0 - MEDIUM

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

SINGLE

Confidentiality impact

PARTIAL

Integrity impact

NONE

Availability impact

NONE

network

low complexity

atlassian

CWE-918

NVD

Published: 2021-02-22

Updated: 2022-03-30

Summary

The MessageBundleWhiteList class of atlassian-gadgets before version 4.2.37, from version 4.3.0 before 4.3.14, from version 4.3.2.0 before 4.3.2.4, from version 4.4.0 before 4.4.12, and from version 5.0.0 before 5.0.1 allowed unexpected DNS lookups and requests to arbitrary services as it incorrectly obtained application base url information from the executing http request which could be attacker controlled.

Vulnerable Configurations

Part	Description	Count
Application	Atlassian Atlassian Atlassian Gadgets * Atlassian Data Center * Atlassian Jira Data Center 8.15.0 Atlassian Jira Server * Atlassian Jira Server 8.15.0	5

Common Weakness Enumeration (CWE)

CWE-918 - Server-Side Request Forgery (SSRF)

References

https://jira.atlassian.com/browse/JRASERVER-72025