Vulnerability Description
The ProfileLinkUserFormat component of Jira Server before version 7.6.8, from version 7.7.0 before version 7.7.5, from version 7.8.0 before version 7.8.5, from version 7.9.0 before version 7.9.3, from version 7.10.0 before version 7.10.3 and from version 7.11.0 before version 7.11.2 allows remote attackers who can access & view an issue to obtain the email address of the reporter and assignee user of an issue despite the configured email visibility setting being set to hidden.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Atlassian | Jira | < 7.6.8 |
| Atlassian | Jira Server | >= 7.7.0, < 7.7.5 |
Related Weaknesses (CWE)
References
- http://www.securityfocus.com/bid/105165Third Party AdvisoryVDB Entry
- https://jira.atlassian.com/browse/JRASERVER-67750Issue TrackingVendor Advisory
- http://www.securityfocus.com/bid/105165Third Party AdvisoryVDB Entry
- https://jira.atlassian.com/browse/JRASERVER-67750Issue TrackingVendor Advisory
FAQ
What is CVE-2018-13391?
CVE-2018-13391 is a vulnerability with a CVSS score of 5.3 (MEDIUM). The ProfileLinkUserFormat component of Jira Server before version 7.6.8, from version 7.7.0 before version 7.7.5, from version 7.8.0 before version 7.8.5, from version 7.9.0 before version 7.9.3, from...
How severe is CVE-2018-13391?
CVE-2018-13391 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2018-13391?
Check the references section above for vendor advisories and patch information. Affected products include: Atlassian Jira, Atlassian Jira Server.