1. Home
  2. CVE Database
  3. CVE-2020-36232
MEDIUM · 5.0

CVE-2020-36232

The MessageBundleWhiteList class of atlassian-gadgets before version 4.2.37, from version 4.3.0 before 4.3.14, from version 4.3.2.0 before 4.3.2.4, from version 4.4.0 before 4.4.12, and from version 5...

Vulnerability Description

The MessageBundleWhiteList class of atlassian-gadgets before version 4.2.37, from version 4.3.0 before 4.3.14, from version 4.3.2.0 before 4.3.2.4, from version 4.4.0 before 4.4.12, and from version 5.0.0 before 5.0.1 allowed unexpected DNS lookups and requests to arbitrary services as it incorrectly obtained application base url information from the executing http request which could be attacker controlled.

CVSS Score

5.0

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality
LOW
Integrity
NONE
Availability
NONE

Affected Products

VendorProductVersions
AtlassianAtlassian-Gadgets< 4.2.37
AtlassianData Center>= 8.5.11, < 8.13.2
AtlassianJira Data Center8.15.0
AtlassianJira Server>= 8.5.11, < 8.13.2

Related Weaknesses (CWE)

CWE-918

References

FAQ

What is CVE-2020-36232?

CVE-2020-36232 is a vulnerability with a CVSS score of 5.0 (MEDIUM). The MessageBundleWhiteList class of atlassian-gadgets before version 4.2.37, from version 4.3.0 before 4.3.14, from version 4.3.2.0 before 4.3.2.4, from version 4.4.0 before 4.4.12, and from version 5...

How severe is CVE-2020-36232?

CVE-2020-36232 has been rated MEDIUM with a CVSS base score of 5.0/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2020-36232?

Check the references section above for vendor advisories and patch information. Affected products include: Atlassian Atlassian-Gadgets, Atlassian Data Center, Atlassian Jira Data Center, Atlassian Jira Server.