Uploaded image for project: 'Jira Service Management Data Center'
  1. Jira Service Management Data Center
  2. JSDSERVER-6589

URL path traversal allows information disclosure - CVE-2019-15004

XMLWordPrintable

      URL path traversal allows information disclosure - CVE-2019-15004
      Severity
      Atlassian rates the severity level of this vulnerability as critical, according to the scale published in our Atlassian severity levels. The scale allows us to rank the severity as critical, high, moderate or low.

      This is our assessment and you should evaluate its applicability to your own IT environment.

      Description
      By design, Jira Service Desk gives customer portal users permissions only to raise requests and view issues. This allows users to interact with the customer portal without having direct access to Jira. These restrictions can be bypassed by a remote attacker with portal access who exploits authorization bypass. Note that attackers can grant themselves access to Jira Service Desk portals that have the "Anyone can email the service desk or raise a request in the portal" setting enabled. Exploitation allows an attacker to view all issues within all Jira projects contained in the vulnerable instance. This could include Jira Service Desk projects, Jira Core projects, and Jira Software projects.

      Which versions are affected?

      All versions of Jira Service Desk before 3.9.17, from 3.10.0 before 3.16.9, from 4.0.0 to 4.0.3, from 4.1.0 to 4.1.3, from 4.2.0 before 4.2.6, from 4.3.0 before 4.3.5, from 4.4.0 before 4.4.3, and from 4.5.0 before 4.5.1 are affected by this vulnerability.

      Mitigation

      Refer to the Jira KB for more information on these workarounds.

      *For more information, see the full advisory at https://confluence.atlassian.com/jira/jira-service-desk-security-advisory-2019-11-06-979412717.html.

            [JSDSERVER-6589] URL path traversal allows information disclosure - CVE-2019-15004

            set-jac-bot made changes -
            Fixed in Enterprise Release/s New: [Download 4.5, 3.9|https://confluence.atlassian.com/enterprise/atlassian-enterprise-releases-948227420.html]
            Said made changes -
            Remote Link New: This issue links to "Page (Confluence)" [ 471234 ]
            Aidan Goldthorpe made changes -
            Labels Original: CVE-2019-15004 advisory advisory-released cvss-high security New: CVE-2019-15004 advisory advisory-released cvss-high improper-authorization security
            David Black made changes -
            Link New: This issue relates to JSDSERVER-6590 [ JSDSERVER-6590 ]
            David Black made changes -
            Labels Original: CVE-2019-15004 advisory advisory-to-release cvss-high security New: CVE-2019-15004 advisory advisory-released cvss-high security
            alexmin (Inactive) made changes -
            Fix Version/s New: 3.9.17 [ 89492 ]
            Fix Version/s New: 4.2.6 [ 90419 ]
            Fix Version/s New: 4.3.5 [ 90420 ]
            Fix Version/s New: 4.5.1 [ 89600 ]
            alexmin (Inactive) made changes -
            Resolution New: Fixed [ 1 ]
            Status Original: Gathering Impact [ 12072 ] New: Closed [ 6 ]
            Security Metrics Bot made changes -
            Security Original: Atlassian Staff [ 10750 ]
            Bugfix Automation Bot made changes -
            Support reference count New: 1
            Security Metrics Bot made changes -
            Due Date New: 15/Dec/2019

              Unassigned Unassigned
              security-metrics-bot Security Metrics Bot
              Affected customers:
              0 This affects my team
              Watchers:
              4 Start watching this issue

                Created:
                Updated:
                Resolved: