CVE-2019-14994 Information

Description

The Customer Context Filter in Atlassian Jira Service Desk Server and Jira Service Desk Data Center before version 3.9.16 from version 3.10.0 before version 3.16.8 from version 4.0.0 before version 4.1.3 from version 4.2.0 before version 4.2.5 from version 4.3.0 before version 4.3.4 and version 4.4.0 allows remote attackers with portal access to view arbitrary issues in Jira Service Desk projects via a path traversal vulnerability. Note that when the ‘Anyone can email the service desk or raise a request in the portal’ setting is enabled an attacker can grant themselves portal access allowing them to exploit the vulnerability.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Reference

http://packetstormsecurity.com/files/154574/Jira-Service-Desk-Server-And-Data-Center-Path-Traversal.html https://jira.atlassian.com/browse/JSDSERVER-6517 https://samcurry.net/analysis-of-cve-2019-14994/ https://seclists.org/bugtraq/2019/Sep/39

Attack Complexity

LOW

Privileges Required

NONE

User Interaction Required

NONE

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

HIGH

Availability Impact

NONE

Base Score

NONE

Base Severity

7.5