[BAM-20647] Improper Authorization in Bambooo through ATST Plugin - CVE-2019-15005 - Create and track feature requests for Atlassian products.

Type: Bug
Resolution: Fixed
Priority: Low
Fix Version/s: 6.10.2
Affects Version/s: 6.2.0, (35)
6.3.0, 6.2.1, 6.2.2, 6.2.3, 6.3.1, 6.2.5, 6.4.0, 6.2.8, 6.3.2, 6.2.9, 6.5.0, 6.4.1, 6.3.3, 6.4.2, 6.5.1, 6.6.0, 6.3.4, 6.7.0, 6.6.1, 6.6.2, 6.6.3, 6.8.0, 6.6.4, 6.7.2, 6.7.1, 6.7.3, 6.8.1, 6.9.0, 6.8.2, 6.10.0, 6.9.1, 6.8.3, 6.9.2, 6.9.3, 6.10.1
Component/s: System Administration - Troubleshooting and Support Tools (ATST)
Labels:

Symptom Severity:
Severity 2 - Major
Bug Fix Policy:
View Atlassian Server bug fix policy

The Atlassian Troubleshooting and Support Tools (ATST) plugin prior to version 1.17.2 which was used in Bamboo before version 6.10.2, allows an unprivileged user to initiate periodic log scans and send the results to a user-specified email address due to a missing authorization check. The email message may contain configuration information about the application that the plugin is installed into.

relates to

BSERV-11960 Improper Authorization in Bitbucket Server through ATST Plugin - CVE-2019-15005

Closed

Said made changes - 10/Dec/2019 3:24 AM

Labels

Original: CVE-2019-15005 advisory advisory-released cvss-medium security

New: CVE-2019-15005 advisory advisory-released cvss-medium improper-authorization security

David Black made changes - 08/Nov/2019 3:50 AM

Labels

Original: CVE-2019-15005 advisory advisory-released advisory-to-release cvss-medium security

New: CVE-2019-15005 advisory advisory-released cvss-medium security

David Black made changes - 08/Nov/2019 3:48 AM

Labels	Original: CVE-2019-15005 advisory advisory-to-release cvss-medium security	New: CVE-2019-15005 advisory advisory-released advisory-to-release cvss-medium security
Security	Original: Atlassian Staff [ 10750 ]

David Black made changes - 07/Nov/2019 9:53 PM

Description

Original: The Atlassian Troubleshooting and Support Tools (ATST) plugin prior to version 1.17.2 in Bamboo before version 6.10.2, allows an unprivileged user to initiate periodic log scans and send the results to a user-specified email address due to a missing authorization check. The email message may contain configuration information about the application that the plugin is installed into.

New: The Atlassian Troubleshooting and Support Tools (ATST) plugin prior to version 1.17.2 which was used in Bamboo before version 6.10.2, allows an unprivileged user to initiate periodic log scans and send the results to a user-specified email address due to a missing authorization check. The email message may contain configuration information about the application that the plugin is installed into.

David Black made changes - 07/Nov/2019 9:53 PM

Description

Original: The Atlassian Troubleshooting and Support Tools (ATST) plugin prior to version 1.17.2 in Bamboo from 6.2.0 and before 6.10.2, allows an unprivileged user to initiate periodic log scans and send the results to a user-specified email address due to a missing authorization check. The email message may contain configuration information about the application that the plugin is installed into.

New: The Atlassian Troubleshooting and Support Tools (ATST) plugin prior to version 1.17.2 in Bamboo before version 6.10.2, allows an unprivileged user to initiate periodic log scans and send the results to a user-specified email address due to a missing authorization check. The email message may contain configuration information about the application that the plugin is installed into.

David Black made changes - 03/Nov/2019 11:35 PM

Link

New: This issue relates to ~~BSERV-11960~~ [ ~~BSERV-11960~~ ]

David Black made changes - 03/Nov/2019 11:33 PM

Labels

Original: advisory advisory-to-release cve-2019-15003 cvss-medium security

New: CVE-2019-15005 advisory advisory-to-release cvss-medium security

David Black made changes - 03/Nov/2019 11:33 PM

Summary

Original: Improper Authorization in Bambooo through ATST Plugin - CVE-2019-15003

New: Improper Authorization in Bambooo through ATST Plugin - CVE-2019-15005

David Black added a comment - 03/Nov/2019 11:32 PM

This is an independent assessment and you should evaluate its applicability to your own IT environment.
CVSS v3 score: 4.3 => Medium severity

Exploitability Metrics

Attack Vector	Network
Attack Complexity	Low
Privileges Required	Low
User Interaction	None

Scope Metric

Scope	Unchanged

Impact Metrics

Confidentiality	Low
Integrity	None
Availability	None

https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

David Black added a comment - 03/Nov/2019 11:32 PM This is an independent assessment and you should evaluate its applicability to your own IT environment. CVSS v3 score: 4.3 => Medium severity Exploitability Metrics Attack Vector Network Attack Complexity Low Privileges Required Low User Interaction None Scope Metric Scope Unchanged Impact Metrics Confidentiality Low Integrity None Availability None https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Yasmine made changes - 09/Oct/2019 4:38 PM

Link

Original: This issue is cloned from ~~BSERV-11960~~ [ ~~BSERV-11960~~ ]

Assignee:: Unassigned

Reporter:: Security Metrics Bot

Affected customers:: 0 This affects my team

Watchers:: 1 Start watching this issue

Created:: 26/Sep/2019 4:19 PM

Updated:: 10/Dec/2019 3:24 AM

Resolved:: 26/Sep/2019 4:23 PM

Details

Description

Attachments

Issue Links

Forms

Activity

[BAM-20647] Improper Authorization in Bambooo through ATST Plugin - CVE-2019-15005

Collapse comment: David Black added a comment - 03/Nov/2019 11:32 PM

Expand comment: David Black added a comment - 03/Nov/2019 11:32 PM

People

Dates