CVE-2020-36239

CVE-2020-36239

Vendor Atlassian
Product Jira Data Center
Weakness CWE-862 · Missing authorization
Published July 29, 2021
Last update October 17, 2024
View on NVD All CVEs

CVSS base score

What the vulnerability does

01Description

Jira Data Center, Jira Core Data Center, Jira Software Data Center from version 6.3.0 before 8.5.16, from 8.6.0 before 8.13.8, from 8.14.0 before 8.17.0 and Jira Service Management Data Center from version 2.0.2 before 4.5.16, from version 4.6.0 before 4.13.8, and from version 4.14.0 before 4.17.0 exposed a Ehcache RMI network service which attackers, who can connect to the service, on port 40001 and potentially 40011[0][1], could execute arbitrary code of their choice in Jira through deserialization due to a missing authentication vulnerability. While Atlassian strongly suggests restricting access to the Ehcache ports to only Data Center instances, fixed versions of Jira will now require a shared secret in order to allow access to the Ehcache service. [0] In Jira Data Center, Jira Core Data Center, and Jira Software Data Center versions prior to 7.13.1, the Ehcache object port can be randomly allocated. [1] In Jira Service Management Data Center versions prior to 3.16.1, the Ehcache object port can be randomly allocated.

Key dates

02Disclosure timeline

July 29, 2021 CVE published
October 17, 2024 Record updated

Related vulnerabilities

04Related CVE

CVE-2026-32397 WordPress Filter & Grids plugin <= 3.5.1 - Broken Access Control vulnerability CVE-2025-62972 WordPress WebinarPress plugin <= 1.33.28 - Broken Access Control vulnerability CVE-2025-68581 WordPress YITH Slider for page builders plugin <= 1.0.11 - Broken Access Control vulnerability CVE-2026-2992 KiviCare <= 4.1.2 - Missing Authorization to Unauthenticated Privilege Escalation via Setup Wizard CVE-2025-60127 WordPress CopySafe Web Protection plugin <= 5.1 - Broken Access Control vulnerability