Main Vulnerability Database SB2019092304

SB2019092304 - Path traversal in Atlassian Jira Service Desk

Published: September 23, 2019

Security Bulletin ID SB2019092304

Severity

Medium

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Information disclosure

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Path traversal (CVE-ID: CVE-2019-14994)

The vulnerability allows a remote attacker to perform directory traversal attacks.

The vulnerability exists in the Customer Context Filter Jira Service Desk Server and Jira Service Desk Data Center due to input validation error when processing directory traversal sequences. A remote attacker with portal access can send a specially crafted HTTP request and gain view of all issues from all projects in the affected instance, such as Jira Service Desk projects, Jira Core projects, and Jira Software projects.

Note: When the "Anyone can email the service desk or raise a request in the portal setting" is enabled, an attacker can grant themselves portal access, allowing them to exploit the vulnerability.

Remediation

Install update from vendor's website.

References

https://jira.atlassian.com/browse/JSDSERVER-6517