#VU30378 Incorrect default permissions in Jira Software - CVE-2019-20106

Cybersecurity Help s.r.o.

Published: 2020-02-06 | Updated: 2020-07-17

Vulnerability identifier: #VU30378

Vulnerability risk: Low

CVSSv4.0: 1.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2019-20106

CWE-ID: CWE-276

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Jira Software
Client/Desktop applications / Other client software

Vendor: Atlassian

Description

The vulnerability allows a remote authenticated user to manipulate data.

Comment properties in Atlassian Jira Server and Data Center before version 7.13.12, from 8.0.0 before version 8.5.4, and 8.6.0 before version 8.6.1 allows remote attackers to make comments on a ticket to which they do not have commenting permissions via a broken access control bug.

Mitigation
Install update from vendor's website.

Vulnerable software versions

Jira Software: 8.0.0-m0025 - 8.0.4, 8.1.0 - 8.1.3, 8.2.0 - 8.2.6, 8.3.0 - 8.3.5, 8.4.0 - 8.4.3, 8.5.0 - 8.5.3

External links
https://jira.atlassian.com/browse/JRASERVER-70543

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Incorrect default permissions in Atlassian JIRA