Main Vulnerability Database Vulnerabilities #VU30378

Incorrect default permissions in Jira Software - CVE-2019-20106

Published: February 6, 2020 / Updated: July 17, 2020

Vulnerability identifier: #VU30378

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2019-20106

CWE-ID: CWE-276

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Atlassian

Affected software:
Jira Software

Detailed vulnerability description

The vulnerability allows a remote authenticated user to manipulate data.

Comment properties in Atlassian Jira Server and Data Center before version 7.13.12, from 8.0.0 before version 8.5.4, and 8.6.0 before version 8.6.1 allows remote attackers to make comments on a ticket to which they do not have commenting permissions via a broken access control bug.

How to mitigate CVE-2019-20106

Install update from vendor's website.

Sources

https://jira.atlassian.com/browse/JRASERVER-70543

Incorrect default permissions in Jira Software - CVE-2019-20106

Detailed vulnerability description

How to mitigate CVE-2019-20106

Sources

Please verify you're human