[JSDSERVER-6517] URL Path Traversal in Jira Service Desk Server and Jira Service Desk Data Center Allows Information Disclosure - CVE-2019-14994 - Create and track feature requests for Atlassian products.

Type: Bug
Resolution: Fixed
Priority: Low
Fix Version/s: 4.1.3, 3.9.16, 4.4.1, 4.2.5, 4.3.4, 3.16.8
Affects Version/s: 1.0, (157)
1.0.3, 1.0.4, 1.1, 1.1.1, 1.1.2, 1.1.3, 1.1.4, 1.1.5, 1.1.6, 1.2, 1.2.0.1, 1.2.0.2, 1.2.1, 1.2.4, 1.2.4.1, 1.2.5, 1.2.6, 1.2.6.1, 1.2.7, 2.0, 2.0.1, 2.0.2, 2.0.4, 2.0.3, 2.1, 2.1.1, 2.1.2, 2.2, 2.2.1, 2.3, 2.3.2, 2.3.3, 2.3.4, 2.3.5, 2.3.6, 2.4.1, 2.4.2, 2.4.3, 2.5.0, 2.5.2, 2.5.3, 2.5.4, 2.5.6, 3.0.0, 3.1.0, 2.5.8, 3.0.2, 2.5.9, 3.0.4, 3.0.5, 3.0.9, 3.0.10, 3.1.1, 3.1.2, 3.1.4, 3.1.5, 3.1.6, 3.1.7, 3.1.8, 3.1.9, 3.2.0, 3.2.1, 3.2.2, 3.2.3, 3.2.4, 3.2.5, 3.2.6, 3.2.7, 3.2.8, 3.2.9, 3.2.11, 3.2.10, 3.2.12, 3.2.13, 3.2.14, 3.2.15, 3.3.0, 3.3.1, 3.3.2, 3.4.0, 3.4.1, 3.4.2, 3.5.0, 3.5.1, 3.5.2, 3.5.3, 3.6.0, 3.6.1, 3.6.2, 3.6.4, 3.7.0, 3.7.1, 3.7.2, 3.8.1, 3.8.2, 3.8.3, 3.8.4, 3.8.5, 3.9.0, 3.9.1, 3.9.2, 3.9.3, 3.9.4, 3.9.6, 3.9.7, 3.9.8, 3.9.9, 3.9.10, 3.9.11, 3.10.0, 3.10.1, 3.10.2, 3.10.4, 3.11.0, 3.11.1, 3.11.2, 3.11.4, 3.12.0, 3.12.2, 3.13.0, 3.13.1, 3.13.2, 3.14.0, 3.14.1, 3.14.2, 3.15.0, 3.15.1, 3.15.2, 3.15.3, 3.16.0, 3.16.1, 4.0.0, 3.9.12, 3.16.2, 4.0.2, 4.1.0, 4.0.3, 3.9.13, 3.16.3, 4.1.1, 4.2.0, 3.16.4, 4.1.2, 3.9.14, 4.3.0, 4.2.1, 4.4.0, 4.2.2, 3.16.5, 4.2.3, 4.3.1, 3.16.6, 4.1.3, 3.9.15, 4.2.4, 4.3.2, 4.3.3
Component/s: Customer Portal
Labels:

Fixed in Long Term Support Release/s:

Download 3.9, 3.16
Symptom Severity:
Severity 1 - Critical
Bug Fix Policy:
View Atlassian Server bug fix policy

A URL path traversal vulnerability in Jira Service Desk Server and Jira Service Desk Data Center allows a remote attacker with portal access to view all issues from all projects in the affected instance. This could include Jira Service Desk projects, Jira Core projects, and Jira Software projects. Note that when the Anyone can email the service desk or raise a request in the portal setting is enabled, an attacker can grant themselves portal access, allowing them to exploit the vulnerability.

Affected Versions

All versions prior to 3.9.16
Versions from 3.10.0 prior to 3.16.8
Versions from 4.0.0 prior to 4.1.3
Versions from 4.2.0 prior to 4.2.5
Versions from 4.3.0 prior to 4.3.4
Version 4.4.0

Workaround

Block requests to Jira containing .. at the reverse proxy or load balancer level
Alternatively, configure Jira to redirect requests containing .. to a safe URL via urlrewrite.xml
- Please see Jira KB for workaround details
Restart Jira

Refer to the Jira KB for more information on these workarounds.

Fix

Note: Upgrading Jira Service Desk also requires upgrading Jira Core. Check the compatibility matrix to find the equivalent version for your Jira Service Desk version.

4.4.1 which is available for download from https://www.atlassian.com/software/jira/service-desk/update.
4.3.4 which is available for download from https://www.atlassian.com/software/jira/service-desk/update.
4.2.5 which is available for download from https://www.atlassian.com/software/jira/service-desk/update.
4.1.3 which is available for download from https://www.atlassian.com/software/jira/service-desk/update.
3.16.8 which is available for download from https://www.atlassian.com/software/jira/service-desk/update.
3.9.16 which is available for download from https://www.atlassian.com/software/jira/service-desk/update.

For additional details, see the full advisory.

mentioned in: Page Failed to load; Page Failed to load; Page Failed to load; Page Failed to load; Page Failed to load; Page Loading...

relates to: JSDS-4673 Loading...

(1 mentioned in, 1 relates to)

Form Name

Alex [Atlassian,PSE] added a comment - 22/Jun/2021 12:55 AM

I have removed the workaround in this bug's detail as it is out of date. Please see Jira KB for workaround detail

Alex [Atlassian,PSE] added a comment - 22/Jun/2021 12:55 AM I have removed the workaround in this bug's detail as it is out of date. Please see Jira KB for workaround detail

Brian Adeloye (Inactive) added a comment - 19/Aug/2019 7:10 PM - edited

This is an independent assessment and you should evaluate its applicability to your own IT environment.

CVSS v3 score: 7.5 => High severity

Exploitability Metrics

Attack Vector	Network
Attack Complexity	Low
Privileges Required	None
User Interaction	None

Scope Metric

Scope	Unchanged

Impact Metrics

Confidentiality	High
Integrity	None
Availability	None

https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Brian Adeloye (Inactive) added a comment - 19/Aug/2019 7:10 PM - edited This is an independent assessment and you should evaluate its applicability to your own IT environment. CVSS v3 score: 7.5 => High severity Exploitability Metrics Attack Vector Network Attack Complexity Low Privileges Required None User Interaction None Scope Metric Scope Unchanged Impact Metrics Confidentiality High Integrity None Availability None https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Assignee:: Unassigned

Reporter:: Brian Adeloye (Inactive)

Affected customers:: 1 This affects my team

Watchers:: 10 Start watching this issue

Created:: 19/Aug/2019 7:00 PM

Updated:: 22/Jun/2021 12:55 AM

Resolved:: 16/Sep/2019 12:25 AM

Details

Description

Affected Versions

Workaround

Fix

Attachments

Issue Links

Forms

Activity

[JSDSERVER-6517] URL Path Traversal in Jira Service Desk Server and Jira Service Desk Data Center Allows Information Disclosure - CVE-2019-14994

Collapse comment: Alex [Atlassian,PSE] added a comment - 22/Jun/2021 12:55 AM

Expand comment: Alex [Atlassian,PSE] added a comment - 22/Jun/2021 12:55 AM

Collapse comment: Brian Adeloye (Inactive) added a comment - 19/Aug/2019 7:10 PM, Edited by David Black - 17/Sep/2019 4:21 AM

Expand comment: Brian Adeloye (Inactive) added a comment - 19/Aug/2019 7:10 PM, Edited by David Black - 17/Sep/2019 4:21 AM

People

Dates