CVE-2019-20105 Information

Description

The EditApplinkServlet resource in the Atlassian Application Links plugin before version 5.4.20 from version 6.0.0 before version 6.0.12 from version 6.1.0 before version 6.1.2 from version 7.0.0 before version 7.0.1 and from version 7.1.0 before version 7.1.3 allows remote attackers who have obtained access to administrator’s session to access the EditApplinkServlet resource without needing to re-authenticate to pass \WebSudo\ in products that support \WebSudo\ through an improper access control vulnerability.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N

Reference

https://ecosystem.atlassian.net/browse/APL-1391 https://jira.atlassian.com/browse/JRASERVER-70526

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction Required

HIGH

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

NONE

Availability Impact

HIGH

Base Score

NONE

Base Severity

4.9