Atlassian Jira Service Desk Server and Jira Service Desk Data Center before 3.9.17 Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) Vulnerability

Summary

The Customer Context Filter in Atlassian Jira Service Desk Server and Jira Service Desk Data Center before 3.9.17, from 3.10.0 before 3.16.10, from 4.0.0 before 4.2.6, from 4.3.0 before 4.3.5, from 4.4.0 before 4.4.3, and from 4.5.0 before 4.5.1 allows remote attackers with portal access to view arbitrary issues in Jira Service Desk projects via a path traversal vulnerability.

Credit:

The information has been provided by Alexander Minozhenko 

The original article can be found at:https://seclists.org/bugtraq/2019/Nov/9


Details

When the ‘Anyone can email the service desk or raise a request in the portal’ setting is enabled, an attacker can grant themselves portal access, allowing them to exploit the vulnerability.

 

Vulnerable Systems:

 Atlassian Jira Service Desk Server and Jira Service Desk Data Center before 3.9.17

 

CVE Information:

CVE-2019-15004

Disclosure Timeline:
Published Date:11/6/2019