Atlassian developers find critical vulnerabilities in Jira Service Desk

Atlassian developers released security updates for Jira and Jira Service Desk (in versions * Server and * Data Center), eliminating two critical vulnerabilities. Attackers could use them to get sensitive information or remotely execute malicious code on the system.

Vulnerability CVE-2019-14994 in Jira Service Desk belongs to the category “directory traversal” (URL Path Traversal) and allows access to the portal to bypass restrictions and view the failure records of all Jira Service Desk, Jira Core and Jira Software projects.

“Jira Service Desk provides customer portal users only with the permissions to raise requests and view issues, so that they would interact with the portal without having direct access to Jira. Due to said path traversal vulnerability, however, an attacker with portal access could bypass the mentioned restrictions”, — point Jira Software developers.

The second bug, CVE-2019-15001, was detected in the Jira Importers (JIM) plugin and affects Jira Server and Jira Data Center products. Using the vulnerability, an attacker with administrator privileges Jira could inject a malicious template on the server side and, thus, remotely execute any code.

Read also: Attackers massively steal popular YouTube car channels

The list of vulnerable products Jira Service Desk Server and Jira Service Desk Data Center includes all assemblies of branches 3.9.x – 3.16.x and 4.0.x – 4.4.x. CVE-2019-14994 bug fixed in releases 3.9.16, 3.16.8, 4.1.3, 4.2.5, 4.3.4 and 4.4.1. If administrators cannot quickly install the patch, user can be protected from an attack by restricting access to Jira Software / Core projects and blocking certain requests to Jira – or by redirecting them to a reliable URL.

There is currently no data on the use of new vulnerabilities in cyberattacks.