Missing Authorization in Jira Software - CVE-2019-15013
Published: December 18, 2019 / Updated: July 17, 2020
Vulnerability identifier: #VU30540
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2019-15013
CWE-ID: CWE-862
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Atlassian
Affected software:
Jira Software
Jira Software
Detailed vulnerability description
The vulnerability allows a remote authenticated user to manipulate data.
The WorkflowResource class removeStatus method in Jira before version 7.13.12, from version 8.0.0 before version 8.4.3, and from version 8.5.0 before version 8.5.2 allows authenticated remote attackers who do not have project administration access to remove a configured issue status from a project via a missing authorisation check.
How to mitigate CVE-2019-15013
Install update from vendor's website.