Multiple vulnerabilities in Atlassian Jira
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 17 |
| CVE-ID | CVE-2019-11589 CVE-2019-11588 CVE-2019-11587 CVE-2019-11586 CVE-2019-11585 CVE-2019-11584 CVE-2019-8447 CVE-2019-8450 CVE-2019-8449 CVE-2019-8451 CVE-2019-14997 CVE-2019-14996 CVE-2019-14995 CVE-2019-8445 CVE-2019-8446 CVE-2019-14998 CVE-2019-8444 |
| CWE-ID | CWE-601 CWE-352 CWE-79 CWE-200 CWE-918 CWE-862 |
| Exploitation vector | Network |
| Public exploit |
Public exploit code for vulnerability #9 is available. Public exploit code for vulnerability #13 is available. Public exploit code for vulnerability #14 is available. Public exploit code for vulnerability #15 is available. Public exploit code for vulnerability #16 is available. Public exploit code for vulnerability #17 is available. |
| Vulnerable software |
Jira Software Client/Desktop applications / Other client software |
| Vendor | Atlassian |
Security Bulletin
This security bulletin contains information about 17 vulnerabilities.
1) Open redirect
EUVDB-ID: #VU21186
Risk: Medium
CVSSv4.0: 4 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2019-11589
CWE-ID:
CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to redirect victims to arbitrary URL.
The vulnerability exists due to improper sanitization of user-supplied data in the ChangeSharedFilterOwner resource. A remote attacker can create a link that leads to a trusted website, however, when clicked, redirects the victim to arbitrary domain and obtain a user's Cross-site request forgery (CSRF) token in some cases.
Successful exploitation of this vulnerability may allow a remote attacker to perform a phishing attack and steal potentially sensitive information.
MitigationInstall update from vendor's website.
Vulnerable software versionsJira Software: 1.4.3 - 8.3.1
CPE2.3- cpe:2.3:a:atlassian:jira:1.4.3:*:*:*:*:*:*:*
- cpe:2.3:a:atlassian:jira:2.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:atlassian:jira:2.1:*:*:*:*:*:*:*
- cpe:2.3:a:atlassian:jira:2.2:*:*:*:*:*:*:*
- cpe:2.3:a:atlassian:jira:2.3:*:*:*:*:*:*:*
- cpe:2.3:a:atlassian:jira:2.4.1:*:*:*:*:*:*:*
- cpe:2.3:a:atlassian:jira:2.5.3:*:*:*:*:*:*:*
- cpe:2.3:a:atlassian:jira:2.6.1:*:*:*:*:*:*:*
- cpe:2.3:a:atlassian:jira:2.7.4:*:*:*:*:*:*:*
- cpe:2.3:a:atlassian:jira:2.8.3:*:*:*:*:*:*:*
https://jira.atlassian.com/browse/JRASERVER-69780
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Cross-site request forgery
EUVDB-ID: #VU21185
Risk: Low
CVSSv4.0: 1 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2019-11588
CWE-ID:
CWE-352 - Cross-Site Request Forgery (CSRF)
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform cross-site request forgery attacks.
The vulnerability exists due to insufficient validation of the HTTP request origin passed via the "doGarbageCollection" method to the "ViewSystemInfo" class. A remote attacker can trick the victim to visit a specially crafted web page and perform arbitrary actions on behalf of the victim on the vulnerable website such as trigger garbage collection.
MitigationInstall update from vendor's website.
Vulnerable software versionsJira Software: 1.4.3 - 8.3.1
CPE2.3 External linkshttps://jira.atlassian.com/browse/JRASERVER-69781
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Cross-site request forgery
EUVDB-ID: #VU21184
Risk: Low
CVSSv4.0: 1 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2019-11587
CWE-ID:
CWE-352 - Cross-Site Request Forgery (CSRF)
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform cross-site request forgery attacks.
The vulnerability exists due to insufficient validation of the HTTP request origin in the various exposed resources of the ViewLogging class. A remote attacker can trick the victim to visit a specially crafted web page and perform arbitrary actions on behalf of the victim on the vulnerable website such as modify various settings.
MitigationInstall update from vendor's website.
Vulnerable software versionsJira Software: 1.4.3 - 8.3.1
CPE2.3 External linkshttps://jira.atlassian.com/browse/JRASERVER-69782
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Cross-site request forgery
EUVDB-ID: #VU21183
Risk: Low
CVSSv4.0: 1 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2019-11586
CWE-ID:
CWE-352 - Cross-Site Request Forgery (CSRF)
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform cross-site request forgery attacks.
The vulnerability exists due to insufficient validation of the HTTP request origin in the AddResolution.jspa resource. A remote attacker can trick the victim to visit a specially crafted web page and perform arbitrary actions on behalf of the victim on the vulnerable website such as create new resolutions.
MitigationInstall update from vendor's website.
Vulnerable software versionsJira Software: 1.4.3 - 8.3.1
CPE2.3 External linkshttps://jira.atlassian.com/browse/JRASERVER-69783
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Open redirect
EUVDB-ID: #VU21182
Risk: Low
CVSSv4.0: 1 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2019-11585
CWE-ID:
CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to redirect victims to arbitrary URL.
The vulnerability exists due to improper sanitization of user-supplied data in the startup.jsp resource. A remote attacker can create a link that leads to a trusted website, however, when clicked, redirects the victim to arbitrary domain.
Successful exploitation of this vulnerability may allow a remote attacker to perform a phishing attack and steal potentially sensitive information.
MitigationInstall updates from vendor's website.
Vulnerable software versionsJira Software: 1.4.3 - 8.3.1
CPE2.3 External linkshttps://jira.atlassian.com/browse/JRASERVER-69784
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
6) Stored cross-site scripting
EUVDB-ID: #VU21181
Risk: Low
CVSSv4.0: 1.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear]
CVE-ID: CVE-2019-11584
CWE-ID:
CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data when processing data in the priority icon url of an issue priority. A remote authenticated administrator can upload a malicious icon and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
MitigationInstall update from vendor's website.
Vulnerable software versionsJira Software: 1.4.3 - 8.3.1
CPE2.3 External linkshttps://jira.atlassian.com/browse/JRASERVER-69785
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
7) Cross-site request forgery
EUVDB-ID: #VU21179
Risk: Low
CVSSv4.0: 1 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2019-8447
CWE-ID:
CWE-352 - Cross-Site Request Forgery (CSRF)
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform cross-site request forgery attacks.
The vulnerability exists due to insufficient validation of the HTTP request origin in the ServiceExecutor resource. A remote attacker can trick the victim to visit a specially crafted web page and perform arbitrary actions on behalf of the victim on the vulnerable website such as trigger the creation of export files.
MitigationInstall update from vendor's website.
Vulnerable software versionsJira Software: 1.4.3 - 8.3.1
CPE2.3 External linkshttps://jira.atlassian.com/browse/JRASERVER-69776
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
8) Cross-site scripting
EUVDB-ID: #VU21178
Risk: Low
CVSSv4.0: 0.4 [CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear]
CVE-ID: CVE-2019-8450
CWE-ID:
CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data in the Optimization plugin. A remote authenticated attacker with permission to manage custom fields can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in the name of a custom field in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
MitigationInstall update from vendor's website.
Vulnerable software versionsJira Software: 1.4.3 - 8.3.4
CPE2.3 External linkshttps://jira.atlassian.com/browse/JRASERVER-69795
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
9) Information disclosure
EUVDB-ID: #VU21176
Risk: Medium
CVSSv4.0: 5.5 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/U:Green]
CVE-ID: CVE-2019-8449
CWE-ID:
CWE-200 - Information exposure
Exploit availability: Yes
DescriptionThe vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to an information expose in the "/rest/api/latest/groupuserpicker" resource. A remote attacker can enumerate usernames and gain unauthorized access to sensitive information on the system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsJira Software: 1.4.3 - 8.3.4
CPE2.3 External linkshttps://jira.atlassian.com/browse/JRASERVER-69796
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
10) Server-Side Request Forgery (SSRF)
EUVDB-ID: #VU21169
Risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2019-8451
CWE-ID:
CWE-918 - Server-Side Request Forgery (SSRF)
Exploit availability: No
DescriptionThe disclosed vulnerability allows a remote attacker to perform SSRF attacks.
The vulnerability exists due to insufficient validation of user-supplied input in the "/plugins/servlet/gadgets/makeRequest" resource. A remote attacker can send a specially crafted HTTP request, gain access to the content of internal network resources due to a logic bug in the "JiraWhitelist" class and trick the application to initiate requests to arbitrary systems.
Successful exploitation of this vulnerability may allow a remote attacker gain access to sensitive data, located in the local network or send malicious requests to other servers from the vulnerable system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsJira Software: 1.4.3 - 8.3.3
CPE2.3 External linkshttps://jira.atlassian.com/browse/JRASERVER-69793
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
11) Information disclosure
EUVDB-ID: #VU21166
Risk: Low
CVSSv4.0: 1 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2019-14997
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to an information expose in the "AccessLogFilter" class. A remote attacker can gain unauthorized access to details about other users, including their username.
Install updates from vendor's website.
Vulnerable software versionsJira Software: 1.4.3 - 8.3.3
CPE2.3 External linkshttps://jira.atlassian.com/browse/JRASERVER-69794
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
12) Cross-site scripting
EUVDB-ID: #VU21165
Risk: Low
CVSSv4.0: 1 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear]
CVE-ID: CVE-2019-14996
CWE-ID:
CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists in the "FilterPickerPopup.jspa" resource due to insufficient sanitization of user-supplied data in the "searchOwnerUserName" parameter. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
MitigationInstall update from vendor's website.
Vulnerable software versionsJira Software: 1.4.3 - 8.3.2
CPE2.3 External linkshttps://jira.atlassian.com/browse/JRASERVER-69790
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
13) Missing Authorization
EUVDB-ID: #VU21154
Risk: Medium
CVSSv4.0: 5.5 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/U:Green]
CVE-ID: CVE-2019-14995
CWE-ID:
CWE-862 - Missing Authorization
Exploit availability: No
DescriptionInstall updates from vendor's website.
Vulnerable software versionsJira Software: 1.4.3 - 8.3.3
CPE2.3 External linkshttps://jira.atlassian.com/browse/JRASERVER-69792
https://www.talosintelligence.com/vulnerability_reports/TALOS-2019-0836
https://www.talosintelligence.com/vulnerability_reports/TALOS-2019-0837
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
14) Missing Authorization
EUVDB-ID: #VU21151
Risk: Low
CVSSv4.0: 2.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/U:Clear]
CVE-ID: CVE-2019-8445
CWE-ID:
CWE-862 - Missing Authorization
Exploit availability: No
DescriptionInstall updates from vendor's website.
Vulnerable software versionsJira Software: 1.4.3 - 8.3.1
CPE2.3 External linkshttps://jira.atlassian.com/browse/JRASERVER-69778
https://www.talosintelligence.com/vulnerability_reports/TALOS-2019-0840
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
15) Missing authorization
EUVDB-ID: #VU21150
Risk: Medium
CVSSv4.0: 5.5 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/U:Green]
CVE-ID: CVE-2019-8446
CWE-ID:
CWE-862 - Missing Authorization
Exploit availability: No
DescriptionInstall updates from vendor's website.
Vulnerable software versionsJira Software: 1.4.3 - 8.3.1
CPE2.3 External linkshttps://jira.atlassian.com/browse/JRASERVER-69777
https://www.talosintelligence.com/vulnerability_reports/TALOS-2019-0839
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
16) Cross-site request forgery
EUVDB-ID: #VU21146
Risk: Low
CVSSv4.0: 1.8 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/U:Clear]
CVE-ID: CVE-2019-14998
CWE-ID:
CWE-352 - Cross-Site Request Forgery (CSRF)
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform cross-site request forgery attacks.
The vulnerability exists due to insufficient validation of the HTTP request origin in the Webwork action Cross-Site Request Forgery (CSRF) protection implementation. A remote attacker can bypass its protection via "cookie tossing", trick the victim to visit a specially crafted web page and perform arbitrary actions on behalf of the victim on the vulnerable website.
MitigationInstall update from vendor's website.
Vulnerable software versionsJira Software: 1.4.3 - 8.3.3
CPE2.3 External linkshttps://jira.atlassian.com/browse/JRASERVER-69791
https://www.talosintelligence.com/vulnerability_reports/TALOS-2019-0835
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
17) Cross-site scripting
EUVDB-ID: #VU21143
Risk: Low
CVSSv4.0: 0.9 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P/U:Clear]
CVE-ID: CVE-2019-8444
CWE-ID:
CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists in the wikirenderer component due to insufficient sanitization of user-supplied data in image attribute specification. A remote authenticated attacker can send a specially crafted comment or worklog, trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
MitigationInstall update from vendor's website.
Vulnerable software versionsJira Software: 1.4.3 - 8.3.1
CPE2.3 External linkshttps://jira.atlassian.com/browse/JRASERVER-69779
https://www.talosintelligence.com/vulnerability_reports/TALOS-2019-0833
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
