VYPR
← All advisories
Unrated severityNVD Advisory· Published Feb 18, 2021· Updated Sep 17, 2024

CVE-2020-29453

CVE-2020-29453

Description

Unauthenticated attackers can read arbitrary files in WEB-INF and META-INF directories in Jira Server/Data Center via a path access check flaw.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Unauthenticated attackers can read arbitrary files in WEB-INF and META-INF directories in Jira Server/Data Center via a path access check flaw.

Vulnerability

The CachingResourceDownloadRewriteRule class in Jira Server and Jira Data Center contains an incorrect path access check that allows unauthenticated remote attackers to read arbitrary files within the WEB-INF and META-INF directories. Affected versions are before 8.5.11, from 8.6.0 before 8.13.3, and from 8.14.0 before 8.15.0 [1].

Exploitation

An attacker with network access to the Jira instance can exploit this vulnerability without any authentication. By sending a specially crafted request that bypasses the path validation, the attacker can read files such as web.xml or other configuration files located in the WEB-INF and META-INF directories [1].

Impact

Successful exploitation allows the attacker to read sensitive files within the WEB-INF and META-INF directories, potentially exposing configuration details, credentials, or source code. This information disclosure could aid in further attacks against the Jira instance [1].

Mitigation

Atlassian has fixed this vulnerability in Jira Server and Jira Data Center versions 8.5.11, 8.13.3, and 8.15.0. Users should upgrade to these versions or later. No workarounds have been published [1].

References
  1. Loading...

AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

4
  • Atlassian/Jira Serverllm-fuzzy2 versions
    < 8.5.11, >= 8.6.0 < 8.13.3, >= 8.14.0 < 8.15.0+ 1 more
    • (no CPE)range: < 8.5.11, >= 8.6.0 < 8.13.3, >= 8.14.0 < 8.15.0
    • (no CPE)range: unspecified
  • Atlassian/Jira Core Data Centerllm-fuzzy2 versions
    < 8.5.11, >= 8.6.0 < 8.13.3, >= 8.14.0 < 8.15.0+ 1 more
    • (no CPE)range: < 8.5.11, >= 8.6.0 < 8.13.3, >= 8.14.0 < 8.15.0
    • (no CPE)range: unspecified

Patches

0

No patches discovered yet.

Vulnerability mechanics

No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.

References

1

News mentions

0

No linked articles in our index yet.