exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Jira Service Desk Server And Data Center Path Traversal

Jira Service Desk Server And Data Center Path Traversal
Posted Sep 22, 2019
Authored by Atlassian

Jira Service Desk Server and Data Center product versions below 3.9.16, 3.10.0 up to 3.16.8, 4.0.0 up to 4.1.3, 4.2.0 up to 4.2.5, 4.3.0 up to 4.3.4, and 4.4.0 up to 4.4.1 are susceptible to a path traversal vulnerability.

tags | advisory, file inclusion
advisories | CVE-2019-14994
SHA-256 | 1bd78cc6d3d45eea1fb1efadb1e82ae16a452e32f277d1510a2aaea4b0c5fff9

Jira Service Desk Server And Data Center Path Traversal

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

This email refers to the advisory found at
https://confluence.atlassian.com/jira/jira-service-desk-security-advisory-2019-09-18-976171274.html


CVE ID:

* CVE-2019-14994.


Product: Jira Service Desk Server and Data Center.

Affected Jira Service Desk Server and Data Center product versions:

version < 3.9.16
3.10.0 <= version < 3.16.8
4.0.0 <= version < 4.1.3
4.2.0 <= version < 4.2.5
4.3.0 <= version < 4.3.4
4.4.0 <= version < 4.4.1


Fixed Jira Service Desk Server and Data Center product versions:

* for 3.9.x and earlier, Jira Service Desk Server and Data Center
3.9.16 has been released
with a fix for this issue.
* for 3.16.x, Jira Service Desk Server and Data Center 3.16.8 has been released
with a fix for this issue.
* for 4.1.x, Jira Service Desk Server and Data Center 4.1.3 has been released
with a fix for this issue.
* for 4.2.x, Jira Service Desk Server and Data Center 4.2.5 has been released
with a fix for this issue.
* for 4.3.x, Jira Service Desk Server and Data Center 4.3.4 has been released
with a fix for this issue.
* for 4.4.x, Jira Service Desk Server and Data Center 4.4.1 has been released
with a fix for this issue.


Summary:
This advisory discloses a critical severity security vulnerability. Versions of
Jira Service Desk Server and Data Center are affected by this vulnerability.

Customers who have upgraded Jira Service Desk Server and Data Center to version
3.9.16, 3.16.8, 4.1.3, 4.2.5, 4.3.4, or 4.4.1 are not affected.

Customers who have downloaded and installed affected versions of Jira Service
Desk Server and Data, please upgrade your Jira Service Desk Server
and Data Center installations immediately to fix this vulnerability.


URL path traversal allows information disclosure - CVE-2019-14994

Severity:
Atlassian rates the severity level of this vulnerability as critical, according
to the scale published in our Atlassian severity levels. The scale allows us to
rank the severity as critical, high, moderate or low.
This is our assessment and you should evaluate its applicability to your own IT
environment.


Description:

By design, Jira Service Desk gives customer portal users permissions only to
raise requests and view issues. This allows users to interact with the customer
portal without having direct access to Jira. These restrictions can be bypassed
by a remote attacker with portal access who exploits a path traversal
vulnerability. Exploitation allows an attacker to view all issues
within all Jira
projects contained in the vulnerable instance. This could include Jira Service
Desk projects, Jira Core projects, and Jira Software projects.

Note that attackers can grant themselves access to Jira Service Desk
portals that
have the 'Anyone can email the service desk or raise a request in the portal'
setting enabled. Changing this setting does not defend against an attacker that
has portal access via other means. Atlassian does not recommend changing the
setting. Instead, upgrade to a non-vulnerable version listed below.

Versions of Jira Service Desk Server and Data Center before 3.9.16 (the fixed
version for 3.9.x), from version 3.10.0 before 3.16.8 (the fixed version for
3.16.x), from version 4.0.0 before 4.1.3 (the fixed version for 4.1.x), from
version 4.2.0 before 4.2.5 (the fixed version for 4.2.x), from version 4.3.0
before 4.3.4 (the fixed version for 4.3.x), and from version 4.4.0 before 4.4.1
(the fixed version for 4.4.x) are affected by this vulnerability. This issue can
be tracked at: https://jira.atlassian.com/browse/JSDSERVER-6517.



Fix:

To address this issue, we've released the following versions containing a fix:

* Jira Service Desk Server and Data Center version 3.9.16
* Jira Service Desk Server and Data Center version 3.16.8
* Jira Service Desk Server and Data Center version 4.1.3
* Jira Service Desk Server and Data Center version 4.2.5
* Jira Service Desk Server and Data Center version 4.3.4
* Jira Service Desk Server and Data Center version 4.4.1

Remediation:

Upgrade Jira Service Desk Server and Data Center to version 4.4.1 or higher.

The vulnerabilities and fix versions are described above. If affected, you
should upgrade to the latest version immediately.

If you are running Jira Service Desk Server and Data Center 3.9.x and cannot
upgrade to 4.4.1, upgrade to version 3.9.16.
If you are running Jira Service Desk Server and Data Center 3.16.x and cannot
upgrade to 4.4.1, upgrade to version 3.16.8.
If you are running Jira Service Desk Server and Data Center 4.1.x and cannot
upgrade to 4.4.1, upgrade to version 4.1.3.
If you are running Jira Service Desk Server and Data Center 4.2.x and cannot
upgrade to 4.4.1, upgrade to version 4.2.5.
If you are running Jira Service Desk Server and Data Center 4.3.x and cannot
upgrade to 4.4.1, upgrade to version 4.3.4.


For a full description of the latest version of Jira Service Desk Server and
Data Center, see the release notes found at
https://confluence.atlassian.com/servicedesk/jira-service-desk-release-notes-780083086.html.
You can download the latest version of Jira Service Desk Server and Data Center
from the download centre found at
https://www.atlassian.com/software/jira/service-desk/download.



Support:
If you have questions or concerns regarding this advisory, please raise a
support request at https://support.atlassian.com/.


-----BEGIN PGP SIGNATURE-----

iQJLBAEBCAA1FiEEXh3qw5vbMx/VSutRJCCXorxSdqAFAl2FBYoXHHNlY3VyaXR5
QGF0bGFzc2lhbi5jb20ACgkQJCCXorxSdqBMGw/8CxbSxu7zoB/0Z8AQ0MFZJyf/
0roBecinHPV8jV7/+LLUrU0fLvDvaw1hGnVPbNzWPrD8cMrOgI4VxIigTdFBwmwH
morZNBRk6d4h+xbuYjYvlATw97ClAfDsqUEwNSIxHn7Nwbt2rFn/a8+E9asG1oEY
WSnra6ibpwlNL5JMyggOT2Qu9/fC9BsZoFcRk1+z7fuMtd3Dh7ByCCu9eeIqLao2
sMAb0vE8PGmjXb6Uvy/2Vsp2+BtB4BS28/scxnssa/sKslI1XchWgZNk/2pYW9V9
1AIoSOapm2cP+4XmIq7ViWvAAPE6ViCdTfDTzQWw+UcNOa789zQXm7oagro3Fack
9iuDCISw48MjT/ZG1Fq1YrLutkcc3ekiLdjTB0hprQ51kfyRnyYwEUXWj1NRI+Wd
FEqQbDskLqFB1chroz0fiVpAmSN4VwNTo4QXnbSfiFcfROydwziGOPbHjlmAFxFh
1U6yjAoM3cZhCjnXvTDbiuPOTTry/VPYDOZ/I6gN2B5L7+sDGH0BGQaLKgnOHNcz
oizi0PxHTu7C4yT/e3G0lJDcWu5isGIE98Jd3fW7rC0wMrsCDLog9WscLam4fhYi
SADWs4t6IXGM/kEwGpjejIJMbeSVg3kEuGzr4fOxxkgkYMnrku3Cfi1orgfBiTFZ
tU9ucg9A6BDluQUVaCc=
=jYqK
-----END PGP SIGNATURE-----

Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close