Information disclosure in Jira Tempo plugin
Published: 2019-09-17
| Risk | Low |
| Patch available | NO |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2019-5095 |
| CWE-ID | CWE-862 |
| Exploitation vector | Network |
| Public exploit | Public exploit code for vulnerability #1 is available. |
| Vulnerable software Subscribe |
Jira Tempo plugin Client/Desktop applications / Other client software |
| Vendor | Atlassian |
Security Bulletin
This security bulletin contains one low risk vulnerability.
1) Missing Authorization
EUVDB-ID: #VU21155
Risk: Low
CVSSv3.1:
CVE-ID: CVE-2019-5095
CWE-ID:
CWE-862 - Missing Authorization
Exploit availability: No
Description
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to the missing permissions check. A remote authenticated attacker can obtain the summary for issues they do not have permission to view.
Mitigation
Cybersecurity Help is currently unaware of any official solution to address this vulnerability.
Vulnerable software versionsJira Tempo plugin: 4.10.0 - 4.10.0
CPE2.3 External linkshttp://www.talosintelligence.com/vulnerability_reports/TALOS-2019-0838
Q & A
Can this vulnerability be exploited remotely?
Is there known malware, which exploits this vulnerability?
