All the vulnerabilites related to Atlassian - Application Links
cve-2017-18111
Vulnerability from cvelistv5
Published
2019-03-29 14:04
Modified
2024-09-16 17:32
Severity ?
EPSS score ?
Summary
The OAuthHelper in Atlassian Application Links before version 5.0.10, from version 5.1.0 before version 5.1.3, and from version 5.2.0 before version 5.2.6 used an XML document builder that was vulnerable to XXE when consuming a client OAuth request. This allowed malicious oauth application linked applications to probe internal network resources by requesting internal locations, read the contents of files and also cause an out of memory exception affecting availability via an XML External Entity vulnerability.
References
| ▼ | URL | Tags |
|---|---|---|
| https://ecosystem.atlassian.net/browse/APL-1338 | x_refsource_MISC |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Atlassian | Application Links |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T21:13:48.645Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://ecosystem.atlassian.net/browse/APL-1338"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Application Links",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "5.0.10",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "5.1.0",
"versionType": "custom"
},
{
"lessThan": "5.1.3",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "5.2.0",
"versionType": "custom"
},
{
"lessThan": "5.2.6",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2017-05-31T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The OAuthHelper in Atlassian Application Links before version 5.0.10, from version 5.1.0 before version 5.1.3, and from version 5.2.0 before version 5.2.6 used an XML document builder that was vulnerable to XXE when consuming a client OAuth request. This allowed malicious oauth application linked applications to probe internal network resources by requesting internal locations, read the contents of files and also cause an out of memory exception affecting availability via an XML External Entity vulnerability."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Improper Restriction of XML External Entity Reference (\u0027XXE\u0027)",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-03-29T14:04:53",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://ecosystem.atlassian.net/browse/APL-1338"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@atlassian.com",
"DATE_PUBLIC": "2017-05-31T00:00:00",
"ID": "CVE-2017-18111",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Application Links",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "5.0.10"
},
{
"version_affected": "\u003e=",
"version_value": "5.1.0"
},
{
"version_affected": "\u003c",
"version_value": "5.1.3"
},
{
"version_affected": "\u003e=",
"version_value": "5.2.0"
},
{
"version_affected": "\u003c",
"version_value": "5.2.6"
}
]
}
}
]
},
"vendor_name": "Atlassian"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The OAuthHelper in Atlassian Application Links before version 5.0.10, from version 5.1.0 before version 5.1.3, and from version 5.2.0 before version 5.2.6 used an XML document builder that was vulnerable to XXE when consuming a client OAuth request. This allowed malicious oauth application linked applications to probe internal network resources by requesting internal locations, read the contents of files and also cause an out of memory exception affecting availability via an XML External Entity vulnerability."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Improper Restriction of XML External Entity Reference (\u0027XXE\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://ecosystem.atlassian.net/browse/APL-1338",
"refsource": "MISC",
"url": "https://ecosystem.atlassian.net/browse/APL-1338"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2017-18111",
"datePublished": "2019-03-29T14:04:53.340099Z",
"dateReserved": "2018-02-01T00:00:00",
"dateUpdated": "2024-09-16T17:32:37.560Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2017-16860
Vulnerability from cvelistv5
Published
2018-05-14 13:00
Modified
2024-09-17 00:10
Severity ?
EPSS score ?
Summary
The invalidRedirectUrl template in Atlassian Application Links before version 5.2.7, from version 5.3.0 before version 5.3.4 and from version 5.4.0 before version 5.4.3 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the redirectUrl parameter link in the redirect warning message.
References
| ▼ | URL | Tags |
|---|---|---|
| https://ecosystem.atlassian.net/browse/APL-1363 | x_refsource_CONFIRM | |
| http://www.securityfocus.com/bid/104188 | vdb-entry, x_refsource_BID |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Atlassian | Application Links |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T20:35:21.221Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://ecosystem.atlassian.net/browse/APL-1363"
},
{
"name": "104188",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/104188"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Application Links",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "5.2.7",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "5.3.0",
"versionType": "custom"
},
{
"lessThan": "5.3.4",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "5.4.0",
"versionType": "custom"
},
{
"lessThan": "5.4.3",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2018-05-14T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The invalidRedirectUrl template in Atlassian Application Links before version 5.2.7, from version 5.3.0 before version 5.3.4 and from version 5.4.0 before version 5.4.3 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the redirectUrl parameter link in the redirect warning message."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross Site Scripting (XSS)",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-05-17T09:57:01",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://ecosystem.atlassian.net/browse/APL-1363"
},
{
"name": "104188",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/104188"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@atlassian.com",
"DATE_PUBLIC": "2018-05-14T00:00:00",
"ID": "CVE-2017-16860",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Application Links",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "5.2.7"
},
{
"version_affected": "\u003e=",
"version_value": "5.3.0"
},
{
"version_affected": "\u003c",
"version_value": "5.3.4"
},
{
"version_affected": "\u003e=",
"version_value": "5.4.0"
},
{
"version_affected": "\u003c",
"version_value": "5.4.3"
}
]
}
}
]
},
"vendor_name": "Atlassian"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The invalidRedirectUrl template in Atlassian Application Links before version 5.2.7, from version 5.3.0 before version 5.3.4 and from version 5.4.0 before version 5.4.3 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the redirectUrl parameter link in the redirect warning message."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross Site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://ecosystem.atlassian.net/browse/APL-1363",
"refsource": "CONFIRM",
"url": "https://ecosystem.atlassian.net/browse/APL-1363"
},
{
"name": "104188",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/104188"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2017-16860",
"datePublished": "2018-05-14T13:00:00Z",
"dateReserved": "2017-11-16T00:00:00",
"dateUpdated": "2024-09-17T00:10:37.417Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-20105
Vulnerability from cvelistv5
Published
2020-03-17 02:40
Modified
2024-09-16 19:25
Severity ?
EPSS score ?
Summary
The EditApplinkServlet resource in the Atlassian Application Links plugin before version 5.4.20, from version 6.0.0 before version 6.0.12, from version 6.1.0 before version 6.1.2, from version 7.0.0 before version 7.0.1, and from version 7.1.0 before version 7.1.3 allows remote attackers who have obtained access to administrator's session to access the EditApplinkServlet resource without needing to re-authenticate to pass "WebSudo" in products that support "WebSudo" through an improper access control vulnerability.
References
| ▼ | URL | Tags |
|---|---|---|
| https://ecosystem.atlassian.net/browse/APL-1391 | x_refsource_MISC | |
| https://jira.atlassian.com/browse/JRASERVER-70526 | x_refsource_MISC |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Atlassian | Application Links | |
| Atlassian | Jira Server and Data Center |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T02:32:10.632Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://ecosystem.atlassian.net/browse/APL-1391"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-70526"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Application Links",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "5.4.20",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "6.0.0",
"versionType": "custom"
},
{
"lessThan": "6.0.12",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.0.0",
"versionType": "custom"
},
{
"lessThan": "7.0.1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.1.0",
"versionType": "custom"
},
{
"lessThan": "7.1.3",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Jira Server and Data Center",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.13.8",
"versionType": "custom"
},
{
"lessThan": "7.13.12",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.4.2",
"versionType": "custom"
},
{
"lessThan": "8.5.4",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.6.0",
"versionType": "custom"
},
{
"lessThan": "8.6.1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2020-03-17T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The EditApplinkServlet resource in the Atlassian Application Links plugin before version 5.4.20, from version 6.0.0 before version 6.0.12, from version 6.1.0 before version 6.1.2, from version 7.0.0 before version 7.0.1, and from version 7.1.0 before version 7.1.3 allows remote attackers who have obtained access to administrator\u0027s session to access the EditApplinkServlet resource without needing to re-authenticate to pass \"WebSudo\" in products that support \"WebSudo\" through an improper access control vulnerability."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Improper Authorization",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-03-17T02:40:13",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://ecosystem.atlassian.net/browse/APL-1391"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-70526"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@atlassian.com",
"DATE_PUBLIC": "2020-03-17T00:00:00",
"ID": "CVE-2019-20105",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Application Links",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "5.4.20"
},
{
"version_affected": "\u003e=",
"version_value": "6.0.0"
},
{
"version_affected": "\u003c",
"version_value": "6.0.12"
},
{
"version_affected": "\u003e=",
"version_value": "7.0.0"
},
{
"version_affected": "\u003c",
"version_value": "7.0.1"
},
{
"version_affected": "\u003e=",
"version_value": "7.1.0"
},
{
"version_affected": "\u003c",
"version_value": "7.1.3"
}
]
}
},
{
"product_name": "Jira Server and Data Center",
"version": {
"version_data": [
{
"version_affected": "\u003e=",
"version_value": "7.13.8"
},
{
"version_affected": "\u003c",
"version_value": "7.13.12"
},
{
"version_affected": "\u003e=",
"version_value": "8.4.2"
},
{
"version_affected": "\u003c",
"version_value": "8.5.4"
},
{
"version_affected": "\u003e=",
"version_value": "8.6.0"
},
{
"version_affected": "\u003c",
"version_value": "8.6.1"
}
]
}
}
]
},
"vendor_name": "Atlassian"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The EditApplinkServlet resource in the Atlassian Application Links plugin before version 5.4.20, from version 6.0.0 before version 6.0.12, from version 6.1.0 before version 6.1.2, from version 7.0.0 before version 7.0.1, and from version 7.1.0 before version 7.1.3 allows remote attackers who have obtained access to administrator\u0027s session to access the EditApplinkServlet resource without needing to re-authenticate to pass \"WebSudo\" in products that support \"WebSudo\" through an improper access control vulnerability."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Improper Authorization"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://ecosystem.atlassian.net/browse/APL-1391",
"refsource": "MISC",
"url": "https://ecosystem.atlassian.net/browse/APL-1391"
},
{
"name": "https://jira.atlassian.com/browse/JRASERVER-70526",
"refsource": "MISC",
"url": "https://jira.atlassian.com/browse/JRASERVER-70526"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2019-20105",
"datePublished": "2020-03-17T02:40:13.819495Z",
"dateReserved": "2019-12-30T00:00:00",
"dateUpdated": "2024-09-16T19:25:54.920Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-15011
Vulnerability from cvelistv5
Published
2019-12-17 03:45
Modified
2024-09-16 19:50
Severity ?
EPSS score ?
Summary
The ListEntityLinksServlet resource in Application Links before version 5.0.12, from version 5.1.0 before version 5.2.11, from version 5.3.0 before version 5.3.7, from version 5.4.0 before 5.4.13, and from version 6.0.0 before 6.0.5 disclosed application link information to non-admin users via a missing permissions check.
References
| ▼ | URL | Tags |
|---|---|---|
| https://ecosystem.atlassian.net/browse/APL-1386 | x_refsource_MISC |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Atlassian | Application Links |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T00:34:53.139Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://ecosystem.atlassian.net/browse/APL-1386"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Application Links",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "5.0.12",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "5.1.0",
"versionType": "custom"
},
{
"lessThan": "5.2.11",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "5.3.0",
"versionType": "custom"
},
{
"lessThan": "5.3.7",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "5.4.0",
"versionType": "custom"
},
{
"lessThan": "5.4.13",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "6.0.0",
"versionType": "custom"
},
{
"lessThan": "6.0.5",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2019-12-17T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The ListEntityLinksServlet resource in Application Links before version 5.0.12, from version 5.1.0 before version 5.2.11, from version 5.3.0 before version 5.3.7, from version 5.4.0 before 5.4.13, and from version 6.0.0 before 6.0.5 disclosed application link information to non-admin users via a missing permissions check."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Information Exposure",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-12-17T03:45:13",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://ecosystem.atlassian.net/browse/APL-1386"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@atlassian.com",
"DATE_PUBLIC": "2019-12-17T00:00:00",
"ID": "CVE-2019-15011",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Application Links",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "5.0.12"
},
{
"version_affected": "\u003e=",
"version_value": "5.1.0"
},
{
"version_affected": "\u003c",
"version_value": "5.2.11"
},
{
"version_affected": "\u003e=",
"version_value": "5.3.0"
},
{
"version_affected": "\u003c",
"version_value": "5.3.7"
},
{
"version_affected": "\u003e=",
"version_value": "5.4.0"
},
{
"version_affected": "\u003c",
"version_value": "5.4.13"
},
{
"version_affected": "\u003e=",
"version_value": "6.0.0"
},
{
"version_affected": "\u003c",
"version_value": "6.0.5"
}
]
}
}
]
},
"vendor_name": "Atlassian"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The ListEntityLinksServlet resource in Application Links before version 5.0.12, from version 5.1.0 before version 5.2.11, from version 5.3.0 before version 5.3.7, from version 5.4.0 before 5.4.13, and from version 6.0.0 before 6.0.5 disclosed application link information to non-admin users via a missing permissions check."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Information Exposure"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://ecosystem.atlassian.net/browse/APL-1386",
"refsource": "MISC",
"url": "https://ecosystem.atlassian.net/browse/APL-1386"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2019-15011",
"datePublished": "2019-12-17T03:45:14.059031Z",
"dateReserved": "2019-08-13T00:00:00",
"dateUpdated": "2024-09-16T19:50:47.187Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-20100
Vulnerability from cvelistv5
Published
2020-02-12 14:07
Modified
2024-09-17 00:40
Severity ?
EPSS score ?
Summary
The Atlassian Application Links plugin is vulnerable to cross-site request forgery (CSRF). The following versions are affected: all versions prior to 5.4.21, from version 6.0.0 before version 6.0.12, from version 6.1.0 before version 6.1.2, from version 7.0.0 before version 7.0.2, and from version 7.1.0 before version 7.1.3. The vulnerable plugin is used by Atlassian Jira Server and Data Center before version 8.7.0. An attacker could exploit this by tricking an administrative user into making malicious HTTP requests, allowing the attacker to enumerate hosts and open ports on the internal network where Jira server is present.
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.tenable.com/security/research/tra-2020-06 | x_refsource_MISC | |
| https://ecosystem.atlassian.net/browse/APL-1390 | x_refsource_MISC | |
| https://jira.atlassian.com/browse/JRASERVER-70607 | x_refsource_MISC |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Atlassian | Application Links | |
| Atlassian | Jira Server |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T02:32:10.519Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.tenable.com/security/research/tra-2020-06"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://ecosystem.atlassian.net/browse/APL-1390"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-70607"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Application Links",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "5.4.21",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "6.0.0",
"versionType": "custom"
},
{
"lessThan": "6.0.12",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "6.1.0",
"versionType": "custom"
},
{
"lessThan": "6.1.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.0.0",
"versionType": "custom"
},
{
"lessThan": "7.0.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.1.0",
"versionType": "custom"
},
{
"lessThan": "7.1.3",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Jira Server",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "8.7.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2020-02-03T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The Atlassian Application Links plugin is vulnerable to cross-site request forgery (CSRF). The following versions are affected: all versions prior to 5.4.21, from version 6.0.0 before version 6.0.12, from version 6.1.0 before version 6.1.2, from version 7.0.0 before version 7.0.2, and from version 7.1.0 before version 7.1.3. The vulnerable plugin is used by Atlassian Jira Server and Data Center before version 8.7.0. An attacker could exploit this by tricking an administrative user into making malicious HTTP requests, allowing the attacker to enumerate hosts and open ports on the internal network where Jira server is present."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross Site Scripting (CSRF)",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-02-12T14:07:54",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.tenable.com/security/research/tra-2020-06"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://ecosystem.atlassian.net/browse/APL-1390"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-70607"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@atlassian.com",
"DATE_PUBLIC": "2020-02-03T00:00:00",
"ID": "CVE-2019-20100",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Application Links",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "5.4.21"
},
{
"version_affected": "\u003e=",
"version_value": "6.0.0"
},
{
"version_affected": "\u003c",
"version_value": "6.0.12"
},
{
"version_affected": "\u003e=",
"version_value": "6.1.0"
},
{
"version_affected": "\u003c",
"version_value": "6.1.2"
},
{
"version_affected": "\u003e=",
"version_value": "7.0.0"
},
{
"version_affected": "\u003c",
"version_value": "7.0.2"
},
{
"version_affected": "\u003e=",
"version_value": "7.1.0"
},
{
"version_affected": "\u003c",
"version_value": "7.1.3"
}
]
}
},
{
"product_name": "Jira Server",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "8.7.0"
}
]
}
}
]
},
"vendor_name": "Atlassian"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Atlassian Application Links plugin is vulnerable to cross-site request forgery (CSRF). The following versions are affected: all versions prior to 5.4.21, from version 6.0.0 before version 6.0.12, from version 6.1.0 before version 6.1.2, from version 7.0.0 before version 7.0.2, and from version 7.1.0 before version 7.1.3. The vulnerable plugin is used by Atlassian Jira Server and Data Center before version 8.7.0. An attacker could exploit this by tricking an administrative user into making malicious HTTP requests, allowing the attacker to enumerate hosts and open ports on the internal network where Jira server is present."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross Site Scripting (CSRF)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.tenable.com/security/research/tra-2020-06",
"refsource": "MISC",
"url": "https://www.tenable.com/security/research/tra-2020-06"
},
{
"name": "https://ecosystem.atlassian.net/browse/APL-1390",
"refsource": "MISC",
"url": "https://ecosystem.atlassian.net/browse/APL-1390"
},
{
"name": "https://jira.atlassian.com/browse/JRASERVER-70607",
"refsource": "MISC",
"url": "https://jira.atlassian.com/browse/JRASERVER-70607"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2019-20100",
"datePublished": "2020-02-12T14:07:54.434471Z",
"dateReserved": "2019-12-30T00:00:00",
"dateUpdated": "2024-09-17T00:40:31.695Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}