Uploaded image for project: 'Crowd Data Center'
  1. Crowd Data Center
  2. CWD-5466

Improper Authorization in Crowd through ATST Plugin - CVE-2019-15005

      The Atlassian Troubleshooting and Support Tools (ATST) plugin prior to version 1.17.2 which was used in Crowd & Crowd Data Center before version 3.6.0, allows an unprivileged user to initiate periodic log scans and send the results to a user-specified email address due to a missing authorization check. The email message may contain configuration information about the application that the plugin is installed into.

            [CWD-5466] Improper Authorization in Crowd through ATST Plugin - CVE-2019-15005

            Said made changes -
            Labels Original: CVE-2019-15005 advisory advisory-released cvss-medium security New: CVE-2019-15005 advisory advisory-released cvss-medium improper-authorization security
            David Black made changes -
            Labels Original: CVE-2019-15005 advisory advisory-released advisory-to-release cvss-medium security New: CVE-2019-15005 advisory advisory-released cvss-medium security
            David Black made changes -
            Labels Original: CVE-2019-15005 advisory advisory-to-release cvss-medium security New: CVE-2019-15005 advisory advisory-released advisory-to-release cvss-medium security
            Security Original: Atlassian Staff [ 10750 ]
            David Black made changes -
            Description Original: The Atlassian Troubleshooting and Support Tools (ATST) plugin prior to version 1.17.2 in Crowd & Crowd Data Center before version 3.6.0, allows an unprivileged user to initiate periodic log scans and send the results to a user-specified email address due to a missing authorization check. The email message may contain configuration information about the application that the plugin is installed into. New: The Atlassian Troubleshooting and Support Tools (ATST) plugin prior to version 1.17.2 which was used in Crowd & Crowd Data Center before version 3.6.0, allows an unprivileged user to initiate periodic log scans and send the results to a user-specified email address due to a missing authorization check. The email message may contain configuration information about the application that the plugin is installed into.
            David Black made changes -
            Description Original: The Atlassian Troubleshooting and Support Tools (ATST) plugin prior to version 1.17.2 in Crowd / Crowd Data Center from 3.2.0 and before 3.6.0, allows an unprivileged user to initiate periodic log scans and send the results to a user-specified email address due to a missing authorization check. The email message may contain configuration information about the application that the plugin is installed into. New: The Atlassian Troubleshooting and Support Tools (ATST) plugin prior to version 1.17.2 in Crowd & Crowd Data Center before version 3.6.0, allows an unprivileged user to initiate periodic log scans and send the results to a user-specified email address due to a missing authorization check. The email message may contain configuration information about the application that the plugin is installed into.
            David Black made changes -
            Link New: This issue relates to BSERV-11960 [ BSERV-11960 ]
            David Black made changes -
            Labels Original: advisory advisory-to-release cve-2019-15003 cvss-medium security New: CVE-2019-15005 advisory advisory-to-release cvss-medium security
            David Black made changes -
            Summary Original: Improper Authorization in Crowd through ATST Plugin - CVE-2019-15003 New: Improper Authorization in Crowd through ATST Plugin - CVE-2019-15005

            This is an independent assessment and you should evaluate its applicability to your own IT environment.
            CVSS v3 score: 4.3 => Medium severity

            Exploitability Metrics

            Attack Vector Network
            Attack Complexity Low
            Privileges Required Low
            User Interaction None

            Scope Metric

            Scope Unchanged

            Impact Metrics

            Confidentiality Low
            Integrity None
            Availability None

            https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

            David Black added a comment - This is an independent assessment and you should evaluate its applicability to your own IT environment. CVSS v3 score: 4.3 => Medium severity Exploitability Metrics Attack Vector Network Attack Complexity Low Privileges Required Low User Interaction None Scope Metric Scope Unchanged Impact Metrics Confidentiality Low Integrity None Availability None https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
            Yasmine made changes -
            Link Original: This issue is cloned from BSERV-11960 [ BSERV-11960 ]

              Unassigned Unassigned
              security-metrics-bot Security Metrics Bot
              Affected customers:
              0 This affects my team
              Watchers:
              1 Start watching this issue

                Created:
                Updated:
                Resolved: