Uploaded image for project: 'Jira Data Center'
  1. Jira Data Center
  2. JRASERVER-70607

CSRF in Application Links plugin allows network enumeration - CVE-2019-20100

XMLWordPrintable

      Atlassian Jira Server and Data Center before version 8.7.0 use a version of the Atlassian Application Links plugin that is vulnerable to cross-site request forgery (CSRF). An attacker could exploit this by tricking an administrative user into making malicious HTTP requests, allowing the attacker to enumerate hosts and open ports on the internal network where the Jira server is present. See https://ecosystem.atlassian.net/browse/APL-1390 for further details.

            [JRASERVER-70607] CSRF in Application Links plugin allows network enumeration - CVE-2019-20100

            Rick van Twillert (TMC) added a comment -

            Thanks for the update Daniel!

            Rick van Twillert (TMC) added a comment - Thanks for the update Daniel!

            Daniel Rauf added a comment -

            The fix will be present in the 8.5.4 release, scheduled to be released during the next few days - the fix versions were incorrectly copied by our bot from an internal ticket.

            Daniel Rauf added a comment - The fix will be present in the 8.5.4 release, scheduled to be released during the next few days - the fix versions were incorrectly copied by our bot from an internal ticket.

            Rick van Twillert (TMC) added a comment -

            Please include the fix for this vulnerability in Jira Enterprise Release 8.5.4

            Rick van Twillert (TMC) added a comment - Please include the fix for this vulnerability in Jira Enterprise Release 8.5.4

            Bastian Stehmann [neusta portal services] added a comment -

            Will there be a fix for the current Jira Enterprise Release 8.5 ?

            Bastian Stehmann [neusta portal services] added a comment - Will there be a fix for the current Jira Enterprise Release 8.5 ?

            Security Metrics Bot added a comment -

            This is an independent assessment and you should evaluate its applicability to your own IT environment.
            CVSS v3 score: 4.7 => Medium severity

            Exploitability Metrics

            Attack Vector Network
            Attack Complexity Low
            Privileges Required None
            User Interaction Required

            Scope Metric

            Scope Changed

            Impact Metrics

            Confidentiality Low
            Integrity None
            Availability None

            https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N

            Security Metrics Bot added a comment - This is an independent assessment and you should evaluate its applicability to your own IT environment. CVSS v3 score: 4.7 => Medium severity Exploitability Metrics Attack Vector Network Attack Complexity Low Privileges Required None User Interaction Required Scope Metric Scope Changed Impact Metrics Confidentiality Low Integrity None Availability None https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N

              Unassigned Unassigned
              security-metrics-bot Security Metrics Bot
              Affected customers:
              0 This affects my team
              Watchers:
              7 Start watching this issue

                Created:
                Updated:
                Resolved: