CVE-2020-36289 Overview
CVE-2020-36289 is an information disclosure vulnerability affecting Atlassian Jira Server and Jira Data Center. The flaw resides in the QueryComponentRendererValue!Default.jspa endpoint, which fails to enforce authorization on requests. An unauthenticated remote attacker can query this endpoint to enumerate valid user accounts on the target Jira instance. The weakness is classified as [CWE-863] Incorrect Authorization. While the vulnerability does not directly grant code execution or data tampering, harvested usernames support follow-on credential stuffing, password spraying, and targeted phishing campaigns against the Jira deployment.
Critical Impact
Unauthenticated attackers can enumerate valid Jira user accounts via the QueryComponentRendererValue!Default.jspa endpoint, enabling reconnaissance for credential-based attacks.
Affected Products
- Atlassian Jira Server and Jira Data Center versions before 8.5.13
- Atlassian Jira Server and Jira Data Center versions from 8.6.0 before 8.13.5
- Atlassian Jira Server and Jira Data Center versions from 8.14.0 before 8.15.1
Discovery Timeline
- 2021-05-12 - CVE-2020-36289 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2020-36289
Vulnerability Analysis
The vulnerability resides in the QueryComponentRendererValue!Default.jspa endpoint of Jira Server and Data Center. This endpoint is intended to render query components within authenticated Jira workflows. However, the endpoint accepts requests without verifying that the caller is authenticated or authorized. By submitting crafted requests referencing specific usernames, an attacker observes differential responses that reveal whether a given account exists. The flaw aligns with [CWE-863] Incorrect Authorization, where access control checks are missing from a sensitive function. Although exploitation only exposes user identifiers, valid usernames are a prerequisite for password spraying against Jira's authentication endpoints and for crafting convincing spear-phishing messages aimed at developers, administrators, or service accounts. EPSS data places this CVE in a high probability tier for exploitation activity, reflecting how trivial the enumeration request is to issue at scale.
Root Cause
The root cause is missing authorization enforcement on the QueryComponentRendererValue!Default.jspa action handler. Jira's standard servlet filters and permission checks do not gate access to this endpoint, so the underlying component logic processes requests from anonymous callers. The endpoint's response varies based on whether the supplied user identifier resolves, providing an oracle for enumeration.
Attack Vector
The attack vector is network-based and requires no authentication or user interaction. An attacker sends HTTP GET or POST requests to /secure/QueryComponentRendererValue!Default.jspa on a reachable Jira instance, iterating through candidate usernames. Response variations indicate which accounts exist. The technique scales to large username lists with simple scripting and standard HTTP tooling.
No verified public proof-of-concept code is referenced in the advisory. See the Atlassian Jira Issue JRASERVER-71559 for vendor technical details.
Detection Methods for CVE-2020-36289
Indicators of Compromise
- Repeated unauthenticated HTTP requests to /secure/QueryComponentRendererValue!Default.jspa from a single source address
- High-volume sequential requests against the endpoint with varying user-identifier parameters
- Access log entries showing the endpoint returning 200 responses to sessions without authenticated user cookies
Detection Strategies
- Parse Jira access logs for requests to QueryComponentRendererValue!Default.jspa and correlate request volume per source IP over short time windows
- Alert on anonymous (unauthenticated) requests to the endpoint, since legitimate use occurs only inside authenticated workflows
- Compare requested user identifiers against the Jira user directory to detect enumeration patterns testing nonexistent accounts
Monitoring Recommendations
- Forward Jira HTTP access logs and authentication logs to a centralized SIEM for correlation with downstream authentication failures
- Monitor for password-spray patterns immediately following bursts of requests to the vulnerable endpoint
- Track external scanner activity targeting Atlassian-specific URI paths through web application firewall (WAF) telemetry
How to Mitigate CVE-2020-36289
Immediate Actions Required
- Upgrade Jira Server or Jira Data Center to a fixed release: 8.5.13, 8.13.5, or 8.15.1 or later
- Restrict network exposure of Jira instances to trusted networks or VPN until patches are applied
- Review authentication logs for password-spraying activity that may have followed prior enumeration attempts
Patch Information
Atlassian addressed CVE-2020-36289 in Jira Server and Jira Data Center versions 8.5.13, 8.13.5, and 8.15.1. Administrators running the 8.5.x long-term support line should move to 8.5.13 or later. Deployments on the 8.6.0 through 8.13.4 range require 8.13.5 or later, and 8.14.0 through 8.15.0 deployments require 8.15.1 or later. Refer to Atlassian Jira Issue JRASERVER-71559 for the official advisory.
Workarounds
- Place Jira behind an authenticating reverse proxy that blocks unauthenticated access to /secure/QueryComponentRendererValue!Default.jspa
- Deploy WAF rules that rate-limit or block anonymous requests to the affected endpoint
- Enforce strong password policies and multi-factor authentication on all Jira accounts to reduce the value of harvested usernames
# Example NGINX reverse-proxy rule to block unauthenticated access to the vulnerable endpoint
location ~ ^/secure/QueryComponentRendererValue!Default\.jspa {
if ($http_cookie !~* "JSESSIONID") {
return 403;
}
proxy_pass http://jira_backend;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
