Two critical severity vulnerabilities (CVE-2019-15003andCVE-2019-15004) have been discovered in Jira Service Desk Server and Jira Service Desk Data Center.
Versions that are affected by these vulnerabilities include, before 3.9.17, from 3.10.0 before 3.16.10, from 4.0.0 before 4.2.6, from 4.3.0 before 4.3.5, from 4.4.0 before 4.4.3, and 4.5.0 before 4.5.1.
Please note, users of Atlassian Cloud instances have already been upgraded to a version of Jira Service Desk which is not affected by this issue. In addition, users who have upgraded Jira Service Desk and Jira Service Desk Data Center to versions 3.9.17, 3.16.10, 4.2.6, 4.3.5, 4.4.3, or 4.5.1 are not affected.
Users should upgrade Jira Service Desk Server and Jira Service Desk Data Center installations immediately if the following versions have been downloaded and installed:
- All versions before 3.9.17
- 3.10.x
- 3.11.x
- 3.12.x
- 3.13.x
- 3.14.x
- 3.15.x
- 3.16.x before 3.16.10 (the fixed version for 3.16.x)
- 4.0.x
- 4.1.x
- 4.2.x before 4.2.6 (the fixed version for 4.2.x)
- 4.3.x before 4.3.5 (the fixed version for 4.3.x)
- 4.4.x before 4.4.3 (the fixed version for 4.4.x)
- 4.5.x before 4.5.1 (the fixed version for 4.5.x)
Authorisation bypass allows information disclosure - CVE-2019-15003
Severity
Atlassian rates the severity level of this vulnerability as critical.
This is Atlassian's assessment, so you should evaluate its applicability to your own IT environment.
Description
Jira Service Desk gives portal users permissions only to raise requests and view issues, by design, which allows users to interact with the portal without having direct access to Jira. These restrictions can be bypassed by any attacker with portal access who exploits an authorisation bypass. If exploited, any attacker can view all issues within all Jira projects contained in the vulnerable instance. This could include Jira Service Desk projects, Jira Core projects and Jira Software projects.
All versions of Jira Service Desk before 3.9.17, from 3.10.0 before 3.16.10, from 4.0.0 before 4.2.6, from 4.3.0 before 4.3.5, from 4.4.0 before 4.4.3, and from 4.5.0 before 4.5.1 are affected.
URL path traversal allows information disclosure - CVE-2019-15004
Severity
Atlassian rates the severity level of this vulnerability as critical.
This is Atlassian's assessment, so you should evaluate its applicability to your own IT environment.
Description
Jira Service Desk gives portal users permissions only to raise requests and view issues, by design, which allows users to interact with the portal without having direct access to Jira. These restrictions can be bypassed by any attacker with portal access who exploits an authorisation bypass. If exploited, any attacker can view all issues within all Jira projects contained in the vulnerable instance. This could include Jira Service Desk projects, Jira Core projects and Jira Software projects.
All versions of Jira Service Desk before 3.9.17, from 3.10.0 before 3.16.10, from 4.0.0 before 4.2.6, from 4.3.0 before 4.3.5, from 4.4.0 before 4.4.3, and from 4.5.0 before 4.5.1 are affected.
To access versions of Jira Service Desk Server and Jira Service Desk Data Center that address these issues, please visit our Atlassian Partner News page and scroll down to "Fix" and "What You Need to Do".