[CWD-5466] Improper Authorization in Crowd through ATST Plugin - CVE-2019-15005 - Create and track feature requests for Atlassian products.

Type: Bug
Resolution: Fixed
Priority: Low
Fix Version/s: 3.6.0
Affects Version/s: 3.2.0, (26)
3.2.1, 3.2.2, 3.2.3, 3.3.0, 3.2.4, 3.2.5, 3.3.1, 3.4.0, 3.3.2, 3.2.6, 3.2.7, 3.3.3, 3.2.8, 3.3.4, 3.3.6, 3.3.5, 3.4.1, 3.5.0, 3.4.3, 3.4.4, 3.4.5, 3.3.7, 3.4.6, 3.4.7, 3.5.1, 3.5.2
Component/s: Plugins
Labels:

Symptom Severity:
Severity 2 - Major
Bug Fix Policy:
View Atlassian Server bug fix policy

The Atlassian Troubleshooting and Support Tools (ATST) plugin prior to version 1.17.2 which was used in Crowd & Crowd Data Center before version 3.6.0, allows an unprivileged user to initiate periodic log scans and send the results to a user-specified email address due to a missing authorization check. The email message may contain configuration information about the application that the plugin is installed into.

relates to

BSERV-11960 Improper Authorization in Bitbucket Server through ATST Plugin - CVE-2019-15005

Closed

Said made changes - 10/Dec/2019 3:24 AM

Labels

Original: CVE-2019-15005 advisory advisory-released cvss-medium security

New: CVE-2019-15005 advisory advisory-released cvss-medium improper-authorization security

David Black made changes - 08/Nov/2019 3:49 AM

Labels

Original: CVE-2019-15005 advisory advisory-released advisory-to-release cvss-medium security

New: CVE-2019-15005 advisory advisory-released cvss-medium security

David Black made changes - 08/Nov/2019 3:48 AM

Labels	Original: CVE-2019-15005 advisory advisory-to-release cvss-medium security	New: CVE-2019-15005 advisory advisory-released advisory-to-release cvss-medium security
Security	Original: Atlassian Staff [ 10750 ]

David Black made changes - 07/Nov/2019 9:55 PM

Description

Original: The Atlassian Troubleshooting and Support Tools (ATST) plugin prior to version 1.17.2 in Crowd & Crowd Data Center before version 3.6.0, allows an unprivileged user to initiate periodic log scans and send the results to a user-specified email address due to a missing authorization check. The email message may contain configuration information about the application that the plugin is installed into.

New: The Atlassian Troubleshooting and Support Tools (ATST) plugin prior to version 1.17.2 which was used in Crowd & Crowd Data Center before version 3.6.0, allows an unprivileged user to initiate periodic log scans and send the results to a user-specified email address due to a missing authorization check. The email message may contain configuration information about the application that the plugin is installed into.

David Black made changes - 07/Nov/2019 9:53 PM

Description

Original: The Atlassian Troubleshooting and Support Tools (ATST) plugin prior to version 1.17.2 in Crowd / Crowd Data Center from 3.2.0 and before 3.6.0, allows an unprivileged user to initiate periodic log scans and send the results to a user-specified email address due to a missing authorization check. The email message may contain configuration information about the application that the plugin is installed into.

New: The Atlassian Troubleshooting and Support Tools (ATST) plugin prior to version 1.17.2 in Crowd & Crowd Data Center before version 3.6.0, allows an unprivileged user to initiate periodic log scans and send the results to a user-specified email address due to a missing authorization check. The email message may contain configuration information about the application that the plugin is installed into.

David Black made changes - 03/Nov/2019 11:35 PM

Link

New: This issue relates to ~~BSERV-11960~~ [ ~~BSERV-11960~~ ]

David Black made changes - 03/Nov/2019 11:33 PM

Labels

Original: advisory advisory-to-release cve-2019-15003 cvss-medium security

New: CVE-2019-15005 advisory advisory-to-release cvss-medium security

David Black made changes - 03/Nov/2019 11:33 PM

Summary

Original: Improper Authorization in Crowd through ATST Plugin - CVE-2019-15003

New: Improper Authorization in Crowd through ATST Plugin - CVE-2019-15005

Yasmine made changes - 09/Oct/2019 4:40 PM

Link

Original: This issue is cloned from ~~BSERV-11960~~ [ ~~BSERV-11960~~ ]

Yasmine made changes - 09/Oct/2019 4:39 PM

Description

Original: ATST plugin (version prior to 1.17.2) in Atlassian Bitbucket Server from version 5.16.9 before version 6.6.0 allows unprivilege user to create a periodic scan and access the results via email.

New: The Atlassian Troubleshooting and Support Tools (ATST) plugin prior to version 1.17.2 in Crowd / Crowd Data Center from 3.2.0 and before 3.6.0, allows an unprivileged user to initiate periodic log scans and send the results to a user-specified email address due to a missing authorization check. The email message may contain configuration information about the application that the plugin is installed into.

Assignee:: Unassigned

Reporter:: Security Metrics Bot

Affected customers:: 0 This affects my team

Watchers:: 1 Start watching this issue

Created:: 26/Sep/2019 4:06 PM

Updated:: 10/Dec/2019 3:24 AM

Resolved:: 26/Sep/2019 4:06 PM

Details

Description

Attachments

Issue Links

Forms

Activity

[CWD-5466] Improper Authorization in Crowd through ATST Plugin - CVE-2019-15005

People

Dates