background

Upcoming Security Advisory for Jira Service Desk Server and Data Center

05 Nov 2019 in

Two critical severity vulnerabilities (CVE-2019-15003andCVE-2019-15004) have been discovered in Jira Service Desk Server and Jira Service Desk Data Center.

Versions that are affected by these vulnerabilities include, before 3.9.17, from 3.10.0 before 3.16.10, from 4.0.0 before 4.2.6, from 4.3.0 before 4.3.5, from 4.4.0 before 4.4.3, and 4.5.0 before 4.5.1.

Please note, users of Atlassian Cloud instances have already been upgraded to a version of Jira Service Desk which is not affected by this issue. In addition, users who have upgraded Jira Service Desk and Jira Service Desk Data Center to versions 3.9.17, 3.16.10, 4.2.6, 4.3.5, 4.4.3, or 4.5.1 are not affected.

Users should upgrade Jira Service Desk Server and Jira Service Desk Data Center installations immediately if the following versions have been downloaded and installed:

  • All versions before 3.9.17
  • 3.10.x
  • 3.11.x
  • 3.12.x
  • 3.13.x
  • 3.14.x
  • 3.15.x
  • 3.16.x before 3.16.10 (the fixed version for 3.16.x)
  • 4.0.x
  • 4.1.x
  • 4.2.x before 4.2.6 (the fixed version for 4.2.x)
  • 4.3.x before 4.3.5 (the fixed version for 4.3.x)
  • 4.4.x before 4.4.3 (the fixed version for 4.4.x)
  • 4.5.x before 4.5.1 (the fixed version for 4.5.x)

Authorisation bypass allows information disclosure - CVE-2019-15003

Severity

Atlassian rates the severity level of this vulnerability as critical.

This is Atlassian's assessment, so you should evaluate its applicability to your own IT environment.

Description

Jira Service Desk gives portal users permissions only to raise requests and view issues, by design, which allows users to interact with the portal without having direct access to Jira. These restrictions can be bypassed by any attacker with portal access who exploits an authorisation bypass. If exploited, any attacker can view all issues within all Jira projects contained in the vulnerable instance. This could include Jira Service Desk projects, Jira Core projects and Jira Software projects.

All versions of Jira Service Desk before 3.9.17, from 3.10.0 before 3.16.10, from 4.0.0 before 4.2.6, from 4.3.0 before 4.3.5, from 4.4.0 before 4.4.3, and from 4.5.0 before 4.5.1 are affected.

URL path traversal allows information disclosure - CVE-2019-15004

Severity

Atlassian rates the severity level of this vulnerability as critical.

This is Atlassian's assessment, so you should evaluate its applicability to your own IT environment.

Description

Jira Service Desk gives portal users permissions only to raise requests and view issues, by design, which allows users to interact with the portal without having direct access to Jira. These restrictions can be bypassed by any attacker with portal access who exploits an authorisation bypass. If exploited, any attacker can view all issues within all Jira projects contained in the vulnerable instance. This could include Jira Service Desk projects, Jira Core projects and Jira Software projects.

All versions of Jira Service Desk before 3.9.17, from 3.10.0 before 3.16.10, from 4.0.0 before 4.2.6, from 4.3.0 before 4.3.5, from 4.4.0 before 4.4.3, and from 4.5.0 before 4.5.1 are affected.

To access versions of Jira Service Desk Server and Jira Service Desk Data Center that address these issues, please click here and scroll down the page to "Fix" and "What You Need to Do".

These issues do not affect Jira Cloud, so if you are looking to migrate to the cloud or are struggling with an existing migration, Catapult can help, so please do get in touch.