Vulnerability Description
The Customer Context Filter in Atlassian Jira Service Desk Server and Jira Service Desk Data Center before 3.9.17, from 3.10.0 before 3.16.10, from 4.0.0 before 4.2.6, from 4.3.0 before 4.3.5, from 4.4.0 before 4.4.3, and from 4.5.0 before 4.5.1 allows remote attackers with portal access to view arbitrary issues in Jira Service Desk projects via a path traversal vulnerability. Note that when the 'Anyone can email the service desk or raise a request in the portal' setting is enabled, an attacker can grant themselves portal access, allowing them to exploit the vulnerability.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Atlassian | Jira Service Desk | < 3.9.17 |
Related Weaknesses (CWE)
References
- http://packetstormsecurity.com/files/155214/Jira-Service-Desk-Server-Data-CenterThird Party Advisory
- https://jira.atlassian.com/browse/JSDSERVER-6589Issue TrackingVendor Advisory
- https://seclists.org/bugtraq/2019/Nov/9Mailing ListThird Party Advisory
- http://packetstormsecurity.com/files/155214/Jira-Service-Desk-Server-Data-CenterThird Party Advisory
- https://jira.atlassian.com/browse/JSDSERVER-6589Issue TrackingVendor Advisory
- https://seclists.org/bugtraq/2019/Nov/9Mailing ListThird Party Advisory
FAQ
What is CVE-2019-15004?
CVE-2019-15004 is a vulnerability with a CVSS score of 7.5 (HIGH). The Customer Context Filter in Atlassian Jira Service Desk Server and Jira Service Desk Data Center before 3.9.17, from 3.10.0 before 3.16.10, from 4.0.0 before 4.2.6, from 4.3.0 before 4.3.5, from 4....
How severe is CVE-2019-15004?
CVE-2019-15004 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2019-15004?
Check the references section above for vendor advisories and patch information. Affected products include: Atlassian Jira Service Desk.