• Type: Public Security Vulnerability
• Resolution: Fixed
• Priority: Low
• Fix Version/s: 4.22.6
• Affects Version/s: 4.22.5
• Component/s: Email - Incoming
• Labels:

  • advisory
  • advisory-released
  • dont-import
  • security
  • 🔢✅

[JSDSERVER-11888] The Mail Handler creates tickets from incoming emails in the wrong projects

Brian Adeloye (Inactive) made changes - 20/Jul/2022 2:21 PM

Security

Original: Atlassian Staff [ 10750 ]

Brian Adeloye (Inactive) made changes - 20/Jul/2022 2:21 PM

Resolution		New: Fixed [ 1 ]
Status	Original: Draft [ 12872 ]	New: Published [ 12873 ]

Brian Adeloye (Inactive) made changes - 20/Jul/2022 2:20 PM

Labels

Original: advisory advisory-to-release dont-import security 🔢✅

New: advisory advisory-released dont-import security 🔢✅

Brian Adeloye (Inactive) made changes - 20/Jul/2022 2:20 PM

Description

Original: This vulnerability affects certain versions of Atlassian Jira Service Management Server. Please describe the impact of the vulnerability here. No known vulnerability could be read off of the parent.

New: The mail handler in Jira Service Management (JSM) Server and Data Center 4.22.5 incorrectly maps new incoming emails to the wrong JSM project, instead of the project linked to the mailbox the mails were sent to. If JSM is configured to process emails and create tickets in a restricted-access project, it may incorrectly create tickets in a widely accessible project, resulting in information disclosure. h3. Affected version  * 4.22.5 h3. Fixed versions  * 4.22.x >= 4.22.6

Brian Adeloye (Inactive) made changes - 20/Jul/2022 2:10 PM

Summary

Original: An Atlassian product has a security vulnerability.

New: The Mail Handler creates tickets from incoming emails in the wrong projects

Brian Adeloye (Inactive) made changes - 20/Jul/2022 2:09 PM

Component/s

New: Email - Incoming [ 32490 ]

Security Metrics Bot made changes - 20/Jul/2022 1:46 PM

Labels

Original: advisory advisory-to-release dont-import security

New: advisory advisory-to-release dont-import security 🔢✅

Collapse comment: Security Metrics Bot added a comment - 20/Jul/2022 1:46 PM

Security Metrics Bot added a comment - 20/Jul/2022 1:46 PM

This is an independent assessment and you should evaluate its applicability to your own IT environment.

CVSS v3 score: 2.6 => Low severity

Exploitability Metrics

Attack Vector	Network
Attack Complexity	High
Privileges Required	Low
User Interaction	Required

Scope Metric

Scope	Unchanged

Impact Metrics

Confidentiality	Low
Integrity	None
Availability	None

https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N

Expand comment: Security Metrics Bot added a comment - 20/Jul/2022 1:46 PM

Security Metrics Bot added a comment - 20/Jul/2022 1:46 PM This is an independent assessment and you should evaluate its applicability to your own IT environment. CVSS v3 score: 2.6 => Low severity Exploitability Metrics Attack Vector Network Attack Complexity High Privileges Required Low User Interaction Required Scope Metric Scope Unchanged Impact Metrics Confidentiality Low Integrity None Availability None https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N

Brian Adeloye (Inactive) made changes - 19/Jul/2022 3:14 PM

Link

New: This issue details JSDSERVER-11884 [ JSDSERVER-11884 ]

Security Metrics Bot made changes - 19/Jul/2022 2:30 PM

Labels

New: advisory advisory-to-release dont-import security

Load more older events