CVE-2019-15003 Information

Description

The Customer Context Filter in Atlassian Jira Service Desk Server and Jira Service Desk Data Center before 3.9.17 from 3.10.0 before 3.16.10 from 4.0.0 before 4.2.6 from 4.3.0 before 4.3.5 from 4.4.0 before 4.4.3 and from 4.5.0 before 4.5.1 allows remote attackers with portal access to view arbitrary issues in Jira Service Desk projects via authorization bypass. Note that when the ‘Anyone can email the service desk or raise a request in the portal’ setting is enabled an attacker can grant themselves portal access allowing them to exploit the vulnerability.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Reference

http://packetstormsecurity.com/files/155214/Jira-Service-Desk-Server-Data-Center-Path-Traversal.html https://jira.atlassian.com/browse/JSDSERVER-6590 https://seclists.org/bugtraq/2019/Nov/9

Attack Complexity

LOW

Privileges Required

NONE

User Interaction Required

NONE

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

LOW

Availability Impact

NONE

Base Score

NONE

Base Severity

5.3