An issue summary information disclosure vulnerability exists in Atlassian Jira Tempo plugin, version 4.10.0. Authenticated users can obtain the summary for issues they do not have permission to view via the Tempo plugin.
Atlassian Jira 7.6.4 Atlassian Jira Tempo Core system plugin 4.10.0
4.3 - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
CWE-862 - Missing Authorization
An attacker can use this vector to view the summary of arbitrary issues. In order for the exploit to run successfully, the user must have a valid session. This does not display any actual time information collected by the tempo plugin.
With an authenticated session, submit a GET to
<ISSUE-KEY> with a valid issue key.
2019-05-14 - Vendor Disclosure
2019-06-11 - Issued to 3rd party vendor (Tempo)
2019-06-21 - Vendor (Tempo) fixed
2019-09-16 - Public Release
Discovered by Ben Taylor of Cisco ASIG.