One of the most popular developer tools has a critical vulnerability

News
By published

Vulnerability could allow hackers to obtain sensitive user information

(Image credit: Shutterstock)

A new vulnerability that enables an attacker to obtain sensitive user information has been discovered in Jira which is a popular system for bug tracking, interacting with users and project management.

The information disclosure vulnerability, tracked as CVE-2020-14181, has a CVSS score of 5.3 and was first found by Positive Technologies expert Mikhail Klyuchnikov. The vulnerability affects Jira Server and Data Center and occurs because any unauthorized user can access a specific script.

Jira's developer Atlassian is known for making popular products that are used by 170,000 clients in over 190 countries and 83 percent of its customers are part of the Fortune Global 500.

Jira vulnerability

Senior security researcher at Positive Technologies Mikhail Klyuchnikov provided further insight on the vulnerability he discovered in a press release, saying:

"Such vulnerabilities help attackers to significantly save time in their attempts to breach systems: they make it possible to determine the presence of an account with a particular login in the system. By bruteforcing various logins, attackers can identify which users are present in the system. If a login exists, the system discloses the user's personal data (in cases where such data is present), and if a login is not found, the system reports it. 

“After bruteforcing the existing logins, the attackers could go on to bruteforce the passwords of each existing user. Without this vulnerability, attackers would have to haphazardly bruteforce the passwords to logins which might not exist in the system. The vulnerability reduces the time hackers would need and decreases the probability of being detected, which, ultimately, makes the target less attractive for attackers. That's why we strongly recommend installing the updates."

Thankfully though, Atlassian has patched the vulnerability in product versions 7.13.6, 8.5.7 and 8.12.0 and customers should install it immediately to prevent falling victim to any potential attacks exploiting it.

Anthony Spadafora
Anthony Spadafora

After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home. 

Latest in Security
UK Prime Minister Sir Kier Starmer
The UK releases timeline for migration to post-quantum cryptography
ransomware avast
Ransomware attacks are costing Government offices a month of downtime on average
Lock on Laptop Screen
Data breach at Pennsylvania education union potentially exposes 500,000 victims
Data leak
Top collectibles site leaks personal data of nearly a million users
Spyware
Stalkerware data breach potentially hits over 2 million users, including thousands of Apple devices
An American flag flying outside the US Capitol building against a blue sky
Five Eyes "cannot replace US intel in Ukraine", claims former US Cyber Command Chief
Latest in News
UK Prime Minister Sir Kier Starmer
The UK releases timeline for migration to post-quantum cryptography
The Samsung Galaxy S25 Edge on display the January 22, 2025 Galaxy Unpacked event.
A fresh Samsung Galaxy S25 Edge benchmark leak has eased my worries about its performance
Gmail at 20
Your Gmail search results are about to get a huge change - and I'm not sure you're going to be happy with it
Google Pixel 9 in green Wintergreen color showing AI features on screen
Older Pixels just got a big performance boost, while the Pixel 9a is lacking a key feature
Google Pixel Watch 3
Google Pixel Watch 3's Loss of Pulse Detection could save your life – here's how the company created it
Wonka poster
Netflix cooks up sweet new reality TV series based on Charlie and the Chocolate Factory, and it's a dream come true for me
More about security
ransomware avast

Ransomware attacks are costing Government offices a month of downtime on average
Data leak

Top collectibles site leaks personal data of nearly a million users
UK Prime Minister Sir Kier Starmer

The UK releases timeline for migration to post-quantum cryptography

See more latest
Most Popular
UK Prime Minister Sir Kier Starmer
The UK releases timeline for migration to post-quantum cryptography
Google Pixel Watch 3
Google Pixel Watch 3's Loss of Pulse Detection could save your life – here's how the company created it
Gmail at 20
Your Gmail search results are about to get a huge change - and I'm not sure you're going to be happy with it
The Samsung Galaxy S25 Edge on display the January 22, 2025 Galaxy Unpacked event.
A fresh Samsung Galaxy S25 Edge benchmark leak has eased my worries about its performance
Google Pixel 9 in green Wintergreen color showing AI features on screen
Older Pixels just got a big performance boost, while the Pixel 9a is lacking a key feature
Wonka poster
Netflix cooks up sweet new reality TV series based on Charlie and the Chocolate Factory, and it's a dream come true for me
Google NotebookLM on a MacBook.
Google’s NotebookLM adds Mind Maps to its string of research tools to help you learn faster than ever
Mark S and Helly R standing by their desks bathed in blue light in Severance's season 2 finale
Severance season 2 episode 10 ending explained: what does Mark do, who dies, will there be a season 3, and more big questions answered
YouTube Premium
Would you pay for better sound on YouTube? The video-sharing platform could soon let you control audio quality, but it'll cost you
Hugging Snap
This AI app claims it can see what I'm looking at – which it mostly can