• Type: Bug
• Resolution: Fixed
• Priority: Low
• Fix Version/s: 4.1.3, 3.9.16, 4.4.1, 4.2.5, 4.3.4, 3.16.8
• Affects Version/s: 1.0, (157)
  1.0.3, 1.0.4, 1.1, 1.1.1, 1.1.2, 1.1.3, 1.1.4, 1.1.5, 1.1.6, 1.2, 1.2.0.1, 1.2.0.2, 1.2.1, 1.2.4, 1.2.4.1, 1.2.5, 1.2.6, 1.2.6.1, 1.2.7, 2.0, 2.0.1, 2.0.2, 2.0.4, 2.0.3, 2.1, 2.1.1, 2.1.2, 2.2, 2.2.1, 2.3, 2.3.2, 2.3.3, 2.3.4, 2.3.5, 2.3.6, 2.4.1, 2.4.2, 2.4.3, 2.5.0, 2.5.2, 2.5.3, 2.5.4, 2.5.6, 3.0.0, 3.1.0, 2.5.8, 3.0.2, 2.5.9, 3.0.4, 3.0.5, 3.0.9, 3.0.10, 3.1.1, 3.1.2, 3.1.4, 3.1.5, 3.1.6, 3.1.7, 3.1.8, 3.1.9, 3.2.0, 3.2.1, 3.2.2, 3.2.3, 3.2.4, 3.2.5, 3.2.6, 3.2.7, 3.2.8, 3.2.9, 3.2.11, 3.2.10, 3.2.12, 3.2.13, 3.2.14, 3.2.15, 3.3.0, 3.3.1, 3.3.2, 3.4.0, 3.4.1, 3.4.2, 3.5.0, 3.5.1, 3.5.2, 3.5.3, 3.6.0, 3.6.1, 3.6.2, 3.6.4, 3.7.0, 3.7.1, 3.7.2, 3.8.1, 3.8.2, 3.8.3, 3.8.4, 3.8.5, 3.9.0, 3.9.1, 3.9.2, 3.9.3, 3.9.4, 3.9.6, 3.9.7, 3.9.8, 3.9.9, 3.9.10, 3.9.11, 3.10.0, 3.10.1, 3.10.2, 3.10.4, 3.11.0, 3.11.1, 3.11.2, 3.11.4, 3.12.0, 3.12.2, 3.13.0, 3.13.1, 3.13.2, 3.14.0, 3.14.1, 3.14.2, 3.15.0, 3.15.1, 3.15.2, 3.15.3, 3.16.0, 3.16.1, 4.0.0, 3.9.12, 3.16.2, 4.0.2, 4.1.0, 4.0.3, 3.9.13, 3.16.3, 4.1.1, 4.2.0, 3.16.4, 4.1.2, 3.9.14, 4.3.0, 4.2.1, 4.4.0, 4.2.2, 3.16.5, 4.2.3, 4.3.1, 3.16.6, 4.1.3, 3.9.15, 4.2.4, 4.3.2, 4.3.3
• Component/s: Customer Portal
• Labels:

  • CVE-2019-14994
  • advisory
  • advisory-released
  • bugbounty
  • cvss-high
  • improper-authorization
  • security

[JSDSERVER-6517] URL Path Traversal in Jira Service Desk Server and Jira Service Desk Data Center Allows Information Disclosure - CVE-2019-14994

Collapse comment: Alex [Atlassian,PSE] added a comment - 22/Jun/2021 12:55 AM

Alex [Atlassian,PSE] added a comment - 22/Jun/2021 12:55 AM

I have removed the workaround in this bug's detail as it is out of date. Please see Jira KB for workaround detail

Expand comment: Alex [Atlassian,PSE] added a comment - 22/Jun/2021 12:55 AM

Alex [Atlassian,PSE] added a comment - 22/Jun/2021 12:55 AM I have removed the workaround in this bug's detail as it is out of date. Please see Jira KB for workaround detail

Alex [Atlassian,PSE] made changes - 22/Jun/2021 12:54 AM

Description

Original: A URL path traversal vulnerability in Jira Service Desk Server and Jira Service Desk Data Center allows a remote attacker with portal access to view all issues from all projects in the affected instance. This could include Jira Service Desk projects, Jira Core projects, and Jira Software projects. Note that when the [*Anyone can email the service desk or raise a request in the portal* setting|https://confluence.atlassian.com/servicedeskserver/managing-access-to-your-service-desk-939926273.html] is enabled, an attacker can grant themselves portal access, allowing them to exploit the vulnerability. h3. Affected Versions  * All versions prior to 3.9.16  * Versions from 3.10.0 prior to 3.16.8  * Versions from 4.0.0 prior to 4.1.3  * Versions from 4.2.0 prior to 4.2.5  * Versions from 4.3.0 prior to 4.3.4  * Version 4.4.0 h3. Workaround  * Block requests to Jira containing {{..}} at the reverse proxy or load balancer level  * Alternatively, configure Jira to redirect requests containing {{..}} to a safe URL   ** Add the following to the {{<urlrewrite>}} section of  {{[jira-installation-directory]/atlassian-jira/WEB-INF/urlrewrite.xml}}: {noformat}   <rule>         <from>^/[^?]*\.\..*$</from>         <to type="temporary-redirect">/</to>   </rule>{noformat}  * [Restart Jira|https://confluence.atlassian.com/adminjiraserver/start-and-stop-jira-applications-938847802.html] Refer to the [Jira KB|https://confluence.atlassian.com/jirakb/migating-url-path-traversal-for-affected-cve-2019-14994-976762572.html] for more information on these workarounds. h3. Fix *Note:* Upgrading Jira Service Desk also requires upgrading Jira Core. Check the [compatibility matrix|https://confluence.atlassian.com/adminjira/jira-applications-compatibility-matrix-875304597.html] to find the equivalent version for your Jira Service Desk version.  * 4.4.1 which is available for download from [https://www.atlassian.com/software/jira/service-desk/update].  * 4.3.4 which is available for download from [https://www.atlassian.com/software/jira/service-desk/update].  * 4.2.5 which is available for download from [https://www.atlassian.com/software/jira/service-desk/update].  * 4.1.3 which is available for download from [https://www.atlassian.com/software/jira/service-desk/update].  * 3.16.8 which is available for download from [https://www.atlassian.com/software/jira/service-desk/update].  * 3.9.16 which is available for download from [https://www.atlassian.com/software/jira/service-desk/update]. For additional details, see the [full advisory|https://confluence.atlassian.com/jira/jira-service-desk-security-advisory-2019-09-11-976171274.html].

New: A URL path traversal vulnerability in Jira Service Desk Server and Jira Service Desk Data Center allows a remote attacker with portal access to view all issues from all projects in the affected instance. This could include Jira Service Desk projects, Jira Core projects, and Jira Software projects. Note that when the [*Anyone can email the service desk or raise a request in the portal* setting|https://confluence.atlassian.com/servicedeskserver/managing-access-to-your-service-desk-939926273.html] is enabled, an attacker can grant themselves portal access, allowing them to exploit the vulnerability. h3. Affected Versions  * All versions prior to 3.9.16  * Versions from 3.10.0 prior to 3.16.8  * Versions from 4.0.0 prior to 4.1.3  * Versions from 4.2.0 prior to 4.2.5  * Versions from 4.3.0 prior to 4.3.4  * Version 4.4.0 h3. Workaround  * Block requests to Jira containing {{..}} at the reverse proxy or load balancer level  * Alternatively, configure Jira to redirect requests containing {{..}} to a safe URL via {{urlrewrite.xml}}  ** Please see [Jira KB|https://confluence.atlassian.com/jirakb/migating-url-path-traversal-for-affected-cve-2019-14994-976762572.html] for workaround details  * [Restart Jira|https://confluence.atlassian.com/adminjiraserver/start-and-stop-jira-applications-938847802.html] Refer to the [Jira KB|https://confluence.atlassian.com/jirakb/migating-url-path-traversal-for-affected-cve-2019-14994-976762572.html] for more information on these workarounds. h3. Fix *Note:* Upgrading Jira Service Desk also requires upgrading Jira Core. Check the [compatibility matrix|https://confluence.atlassian.com/adminjira/jira-applications-compatibility-matrix-875304597.html] to find the equivalent version for your Jira Service Desk version.  * 4.4.1 which is available for download from [https://www.atlassian.com/software/jira/service-desk/update].  * 4.3.4 which is available for download from [https://www.atlassian.com/software/jira/service-desk/update].  * 4.2.5 which is available for download from [https://www.atlassian.com/software/jira/service-desk/update].  * 4.1.3 which is available for download from [https://www.atlassian.com/software/jira/service-desk/update].  * 3.16.8 which is available for download from [https://www.atlassian.com/software/jira/service-desk/update].  * 3.9.16 which is available for download from [https://www.atlassian.com/software/jira/service-desk/update]. For additional details, see the [full advisory|https://confluence.atlassian.com/jira/jira-service-desk-security-advisory-2019-09-11-976171274.html].

Alex [Atlassian,PSE] made changes - 16/Apr/2021 3:58 AM

Remote Link

New: This issue links to "Page (Confluence)" [ 544490 ]

David Black made changes - 01/Jul/2020 12:52 AM

Labels

Original: CVE-2019-14994 advisory advisory-to-release bugbounty cvss-high improper-authorization security

New: CVE-2019-14994 advisory advisory-released bugbounty cvss-high improper-authorization security

set-jac-bot made changes - 22/May/2020 8:11 AM

Fixed in Enterprise Release/s

New: [Download 3.9, 3.16|https://confluence.atlassian.com/enterprise/atlassian-enterprise-releases-948227420.html]

Sven Laanela (Inactive) made changes - 03/Mar/2020 3:07 AM

Affects Version/s

Original: 3.12.3 [ 80701 ]

Sven Laanela (Inactive) made changes - 03/Mar/2020 3:06 AM

Affects Version/s

Original: 3.11.3 [ 85596 ]

Sven Laanela (Inactive) made changes - 03/Mar/2020 3:00 AM

Affects Version/s

Original: 4.0.4 [ 88099 ]

Said made changes - 17/Feb/2020 5:14 AM

Remote Link

New: This issue links to "Page (Confluence)" [ 471321 ]

Aidan Goldthorpe made changes - 05/Dec/2019 7:10 AM

Labels

Original: CVE-2019-14994 advisory advisory-to-release bugbounty cvss-high security

New: CVE-2019-14994 advisory advisory-to-release bugbounty cvss-high improper-authorization security

Load more older events