#VU21151 Missing Authorization in Jira Software - CVE-2019-8445

Vulnerability identifier: #VU21151

Vulnerability risk: Low

CVSSv4.0: 2.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/U:Clear]

CVE-ID: CVE-2019-8445

CWE-ID: CWE-862

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Jira Software
Client/Desktop applications / Other client software

Vendor: Atlassian

Description

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Jira Software: 1.4.3, 2.0.2, 2.1, 2.2, 2.3, 2.4 - 2.4.1, 2.5.1 - 2.5.3, 2.6 - 2.6.1, 2.7.1 - 2.7.4, 2.8 - 2.8.3, 2.9 - 2.9.5, 2.10 - 2.10.4, 2.11, 2.12 - 2.12.1, 2.13, 2.14 - 2.14.2, 2.15, 2.16, 3, 3.0 - 3.0.3, 3.1 - 3.13.5, 3.2 - 3.2.4, 3.3 - 3.3.3, 3.4 - 3.4.3, 3.5 - 3.5.3, 3.6 - 3.6.5, 3.7 - 3.7.4, 3.8 - 3.8.4, 3.9 - 3.9.3, 4, 4.0 - 4.0.2, 4.1-M1 - 4.1.2, 4.2-m6 - 4.2.4-b591, 4.3-m1 - 4.3.4, 4.4 - 4.4.5, 5.2.11, 6.0-OD-15 - 6.0.3, 6.1-OD-1, 6.2.1 - 6.2.7, 6.3.0 - 6.3.15, 6.4.0 - 6.4.14, 6.5.0 - 6.5.2, 6.6.0 - 6.6.3, 6.7.0 - 6.7.16, 6.8.0 - 6.8.2, 7.0 - 7.0.11, 7.1 - 7.13.5, 7.2.0 - 7.2.15, 7.3 - 7.3.9, 7.4.0 - 7.4.6, 7.5.0 - 7.5.4, 7.6.0 - 7.6.15, 7.7.0 - 7.7.5, 7.8.0 - 7.8.5, 7.9.0 - 7.9.3, 8.0.0-m0025 - 8.0.3, 8.1.0 - 8.1.2, 8.2.0 - 8.2.4, 8.3.0 - 8.3.1

External links
https://jira.atlassian.com/browse/JRASERVER-69778
https://www.talosintelligence.com/vulnerability_reports/TALOS-2019-0840

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.