Meelogic Atlassian Blog

Jira Service Desk Security Advisory System vulnerability 2019-11-06

✓ CVE-2019-15003 – Authorization bypass allows information disclosure

✓ CVE-2019-15004 – URL path traversal allows information disclosure

 

 

Authorization bypass allows information disclosure – CVE-2019-15003

Severity

Atlassian classifies the severity of this vulnerability as critical, according to the scale published in the Atlassian Severity Levels. The scale allows the severity level to be classified as critical, high, medium or low.

This is our assessment, and you should evaluate its applicability to your own IT environment.

Description

By design, Jira Service Desk gives customer portal users permissions only to raise requests and view issues.. This allows users to interact with the customer portal without having direct access to Jira. These restrictions can be circumvented by any attacker with portal access* who exploits a permission bypass. Exploitation allows an attacker to view all issues within all Jira projects included in the vulnerable instance. This could include Jira Service Desk projects, Jira Core projects, and Jira Software projects.

All versions of Jira Service Desk before 3.9.17, from 3.10.0 before 3.16.11, from 4.0.0 before 4.2.6, from 4.3.0 before 4.3.5, from 4.4.0 before 4.4.3, and from 4.5.0 before 4.5.1 are affected. This issue can be tracked here: https://jira.atlassian.com/browse/JSDSERVER-6590

 * Note that attackers can grant themselves access to Jira Service Desk portals that have the Anyone can email the service desk or raise a request in the portal setting” enabled. Changing this permission does not remove the vulnerability to an exploit by an attacker that has portal access. Atlassian does not recommend changing the permission, instead please read-on and follow the instructions outlined in the section:

Mitigation

If you are unable to upgrade Jira Service Desk immediately or are in the process of migrating to Jira Cloud, then as a temporary workaround, you can:

<rule>
    <from>/servicedesk/.*\.jsp.*</from>
    <to type="temporary-redirect">/</to>
</rule>

After upgrading Jira Service Desk this mitigation can be removed.

URL path traversal allows information disclosure – CVE-2019-15004

Severity

Atlassian classifies the severity of this vulnerability as critical, according to the scale published in the Atlassian Severity Scales. The scale allows the severity level to be classified as critical, high, medium or low.

This is our assessment, and you should evaluate its applicability to your own IT environment.

Description

By design, Jira Service Desk gives customer portal users permissions only to raise requests and view issues. This allows users to interact with the customer portal without having direct access to Jira. These restrictions can be bypassed by any attacker with portal access* who exploits a path traversal vulnerability. Exploitation allows an attacker to view all issues within all Jira projects contained in the vulnerable instance. This could include Jira Service Desk projects, Jira Core projects, and Jira Software projects.

All versions of Jira Service Desk before 3.9.17, from 3.10.0 before 3.16.11, from 4.0.0 before 4.2.6, from 4.3.0 before 4.3.5, from 4.4.0 before 4.4.3, and from 4.5.0 before 4.5.1 are affected. This issue can be tracked here: https://jira.atlassian.com/browse/JSDSERVER-6589

* Note that attackers can grant themselves access to Jira Service Desk portals that have the “Anyone can email the service desk or raise a request in the portal” setting enabled. Changing this permission does not remove the vulnerability to an exploit by an attacker that has portal access. Atlassian does not recommend changing the permission, instead please read-on and follow the instructions outlined in the section:

Mitigation

If you are unable to upgrade Jira Service Desk immediately or are in the process of migrating to Jira Cloud, then as a temporary workaround, you can:

    • After saving the changes above, restart Jira

    After upgrading Jira Service Desk this mitigation can be removed.

What You Need to Do

Upgrading Jira Service Desk

Atlassian recommends that you upgrade to the latest version. For a full description of the latest version of Jira Service Desk Server & Jira Service Desk Data Center, see the Release Notes. You can download the latest version of Jira Service Desk Server & Jira Service Desk Data Center from the Download Center.

Upgrade Jira Service Desk to a version as specified below.

Upgrading Jira Service Desk also requires upgrading Jira Core. Check the compatibility matrix to find the equivalent version for your Jira Service Desk version.

4.5.x 4.5.1
4.4.x 4.4.3
4.3.x 4.3.5
4.2.x 4.2.6
4.1.x 4.5.1 (Recommended)
4.0.x 4.5.1 (Recommended)
3.16.x 3.16.11
3.9.x 3.16.11

3.9.17

Older versions (before 3.9.x) Current versions:

4.4.1

4.3.4

Enterprise releases:

4.5.1 (Recommended)

3.16.11

3.9.17