Main Vulnerability Database Vulnerabilities #VU21272

#VU21272 Path traversal in Jira Service Management Server - CVE-2019-14994

Published: September 23, 2019 / Updated: April 5, 2020

Vulnerability identifier: #VU21272

Vulnerability risk: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/U:Green

CVE-ID: CVE-2019-14994

CWE-ID: CWE-22

Exploitation vector: Remote access

Exploit availability: Public exploit is available

Vulnerable software:
Jira Service Management Server

Software vendor:
Atlassian

Description

The vulnerability allows a remote attacker to perform directory traversal attacks.

The vulnerability exists in the Customer Context Filter Jira Service Desk Server and Jira Service Desk Data Center due to input validation error when processing directory traversal sequences. A remote attacker with portal access can send a specially crafted HTTP request and gain view of all issues from all projects in the affected instance, such as Jira Service Desk projects, Jira Core projects, and Jira Software projects.

Note: When the "Anyone can email the service desk or raise a request in the portal setting" is enabled, an attacker can grant themselves portal access, allowing them to exploit the vulnerability.

Remediation

Install updates from vendor's website.

External links

https://jira.atlassian.com/browse/JSDSERVER-6517

#VU21272 Path traversal in Jira Service Management Server - CVE-2019-14994

Description

Remediation

External links

Please verify you're human