• Type: Bug
• Resolution: Fixed
• Priority: Medium
• Fix Version/s: 4.8.0
• Affects Version/s: 4.7.1
• Component/s: Repositories
• Labels:

  • CVE-2019-15009
  • advisory
  • advisory-released
  • cvss-medium
  • improper-authorization
  • security

[FE-7252] Improper authorization vulnerability in the /json/profile/removeStarAjax.do resource - CVE-2019-15009

David Black made changes - 11/Dec/2019 1:43 AM

Labels

Original: CVE-2019-15009 advisory advisory-to-release cvss-medium improper-authorization security

New: CVE-2019-15009 advisory advisory-released cvss-medium improper-authorization security

David Black made changes - 11/Dec/2019 1:43 AM

Security

Original: Atlassian Staff [ 10750 ]

Said made changes - 10/Dec/2019 3:24 AM

Labels

Original: CVE-2019-15009 advisory advisory-to-release cvss-medium security

New: CVE-2019-15009 advisory advisory-to-release cvss-medium improper-authorization security

David Black made changes - 10/Dec/2019 2:44 AM

Summary

Original: Improper authorization vulnerability in the /json/profile/removeStarAjax.do resource

New: Improper authorization vulnerability in the /json/profile/removeStarAjax.do resource - CVE-2019-15009

David Black made changes - 10/Dec/2019 2:44 AM

Labels

Original: advisory advisory-to-release cvss-medium security

New: CVE-2019-15009 advisory advisory-to-release cvss-medium security

Collapse comment: David Black added a comment - 10/Dec/2019 2:43 AM

David Black added a comment - 10/Dec/2019 2:43 AM

This is an independent assessment and you should evaluate its applicability to your own IT environment.
CVSS v3 score: 4.3 => Medium severity

Exploitability Metrics

Attack Vector	Network
Attack Complexity	Low
Privileges Required	Low
User Interaction	None

Scope Metric

Scope	Unchanged

Impact Metrics

Confidentiality	None
Integrity	Low
Availability	None

https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Expand comment: David Black added a comment - 10/Dec/2019 2:43 AM

David Black added a comment - 10/Dec/2019 2:43 AM This is an independent assessment and you should evaluate its applicability to your own IT environment. CVSS v3 score: 4.3 => Medium severity Exploitability Metrics Attack Vector Network Attack Complexity Low Privileges Required Low User Interaction None Scope Metric Scope Unchanged Impact Metrics Confidentiality None Integrity Low Availability None https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

David Black made changes - 10/Dec/2019 2:43 AM

Description

Original: The /json/profile/removeStarAjax.do resource in Atlassian Crucible before version 4.8.0 allows remote attackers to remove another user's favourite setting for a project via an improper authorization vulnerability.

New: The /json/profile/removeStarAjax.do resource in Atlassian Fisheye before version 4.8.0 allows remote attackers to remove another user's favourite setting for a project via an improper authorization vulnerability.

David Black made changes - 10/Dec/2019 2:42 AM

Priority

Original: Low [ 4 ]

New: Medium [ 3 ]

David Black made changes - 10/Dec/2019 2:42 AM

Resolution		New: Fixed [ 1 ]
Status	Original: Needs Triage [ 10030 ]	New: Closed [ 6 ]

David Black made changes - 10/Dec/2019 2:42 AM

Component/s		New: Repositories [ 15590 ]
Component/s	Original: Projects [ 12952 ]
Fix Version/s		New: 4.8.0 [ 85591 ]
Fix Version/s	Original: 4.8.0 [ 85091 ]
Key	Original: CRUC-8444	New: FE-7252
Affects Version/s		New: 4.7.1 [ 87092 ]
Affects Version/s	Original: 4.7.1 [ 87093 ]
Project	Original: Crucible [ 11771 ]	New: FishEye [ 11830 ]

Load more older events