cnvd - cnvd-2019-40791

CNVD-2019-40791

Vulnerability from cnvd - Published: 2019-11-15

Title

Atlassian Jira Service Desk Server和Atlassian Jira Service Desk Data Center Customer Context Filter路径遍历漏洞

Description

Atlassian Jira Service Desk Server和Atlassian Jira Service Desk Data Center都是澳大利亚Atlassian（Atlassian）公司的产品。Atlassian Jira Service Desk Server是一套IT服务台与请求跟踪系统的服务器版。该系统主要用于接收、跟踪和管理团队客户的请求。Atlassian Jira Service Desk Data Center是Atlassian Jira Service Desk的数据中心版本。Customer Context Filter是其中的一个上下文过滤器。 Atlassian Jira Service Desk Server和Jira Service Desk Data Center中的Customer Context Filter存在路径遍历漏洞。该漏洞源于网络系统或产品未能正确地过滤资源或文件路径中的特殊元素。攻击者可利用该漏洞访问受限目录之外的位置。

Severity

中

Patch Name

Atlassian Jira Service Desk Server和Atlassian Jira Service Desk Data Center Customer Context Filter路径遍历漏洞的补丁

Patch Description

Formal description

目前厂商已发布升级补丁以修复漏洞，补丁获取链接： https://jira.atlassian.com/browse/JSDSERVER-6589

Reference

https://nvd.nist.gov/vuln/detail/CVE-2019-15004

Impacted products

Name
['Atlassian Jira Service Desk <3.9.17M', 'Atlassian Jira Service Desk <=3.10.0（3.16.10版本已修复）', 'Atlassian Jira Service Desk <=4.0.03.10.0（4.2.6版本已修复）', 'Atlassian Jira Service Desk <=4.3.03.10.0（4.3.5版本已修复）', 'Atlassian Jira Service Desk <=4.4.03.10.0（4.4.3版本已修复）', 'Atlassian Jira Service Desk <=4.5.03.10.0（4.5.1版本已修复）']

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2019-15004"
    }
  },
  "description": "Atlassian Jira Service Desk Server\u548cAtlassian Jira Service Desk Data Center\u90fd\u662f\u6fb3\u5927\u5229\u4e9aAtlassian\uff08Atlassian\uff09\u516c\u53f8\u7684\u4ea7\u54c1\u3002Atlassian Jira Service Desk Server\u662f\u4e00\u5957IT\u670d\u52a1\u53f0\u4e0e\u8bf7\u6c42\u8ddf\u8e2a\u7cfb\u7edf\u7684\u670d\u52a1\u5668\u7248\u3002\u8be5\u7cfb\u7edf\u4e3b\u8981\u7528\u4e8e\u63a5\u6536\u3001\u8ddf\u8e2a\u548c\u7ba1\u7406\u56e2\u961f\u5ba2\u6237\u7684\u8bf7\u6c42\u3002Atlassian Jira Service Desk Data Center\u662fAtlassian Jira Service Desk\u7684\u6570\u636e\u4e2d\u5fc3\u7248\u672c\u3002Customer Context Filter\u662f\u5176\u4e2d\u7684\u4e00\u4e2a\u4e0a\u4e0b\u6587\u8fc7\u6ee4\u5668\u3002\n\nAtlassian Jira Service Desk Server\u548cJira Service Desk Data Center\u4e2d\u7684Customer Context Filter\u5b58\u5728\u8def\u5f84\u904d\u5386\u6f0f\u6d1e\u3002\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u7f51\u7edc\u7cfb\u7edf\u6216\u4ea7\u54c1\u672a\u80fd\u6b63\u786e\u5730\u8fc7\u6ee4\u8d44\u6e90\u6216\u6587\u4ef6\u8def\u5f84\u4e2d\u7684\u7279\u6b8a\u5143\u7d20\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u8bbf\u95ee\u53d7\u9650\u76ee\u5f55\u4e4b\u5916\u7684\u4f4d\u7f6e\u3002",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u53d1\u5e03\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6f0f\u6d1e\uff0c\u8865\u4e01\u83b7\u53d6\u94fe\u63a5\uff1a\r\nhttps://jira.atlassian.com/browse/JSDSERVER-6589",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2019-40791",
  "openTime": "2019-11-15",
  "patchDescription": "Atlassian Jira Service Desk Server\u548cAtlassian Jira Service Desk Data Center\u90fd\u662f\u6fb3\u5927\u5229\u4e9aAtlassian\uff08Atlassian\uff09\u516c\u53f8\u7684\u4ea7\u54c1\u3002Atlassian Jira Service Desk Server\u662f\u4e00\u5957IT\u670d\u52a1\u53f0\u4e0e\u8bf7\u6c42\u8ddf\u8e2a\u7cfb\u7edf\u7684\u670d\u52a1\u5668\u7248\u3002\u8be5\u7cfb\u7edf\u4e3b\u8981\u7528\u4e8e\u63a5\u6536\u3001\u8ddf\u8e2a\u548c\u7ba1\u7406\u56e2\u961f\u5ba2\u6237\u7684\u8bf7\u6c42\u3002Atlassian Jira Service Desk Data Center\u662fAtlassian Jira Service Desk\u7684\u6570\u636e\u4e2d\u5fc3\u7248\u672c\u3002Customer Context Filter\u662f\u5176\u4e2d\u7684\u4e00\u4e2a\u4e0a\u4e0b\u6587\u8fc7\u6ee4\u5668\u3002\r\n\r\nAtlassian Jira Service Desk Server\u548cJira Service Desk Data Center\u4e2d\u7684Customer Context Filter\u5b58\u5728\u8def\u5f84\u904d\u5386\u6f0f\u6d1e\u3002\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u7f51\u7edc\u7cfb\u7edf\u6216\u4ea7\u54c1\u672a\u80fd\u6b63\u786e\u5730\u8fc7\u6ee4\u8d44\u6e90\u6216\u6587\u4ef6\u8def\u5f84\u4e2d\u7684\u7279\u6b8a\u5143\u7d20\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u8bbf\u95ee\u53d7\u9650\u76ee\u5f55\u4e4b\u5916\u7684\u4f4d\u7f6e\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Atlassian Jira Service Desk Server\u548cAtlassian Jira Service Desk Data Center Customer Context Filter\u8def\u5f84\u904d\u5386\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": [
      "Atlassian Jira Service Desk \u003c3.9.17M",
      "Atlassian Jira Service Desk \u003c=3.10.0\uff083.16.10\u7248\u672c\u5df2\u4fee\u590d\uff09",
      "Atlassian Jira Service Desk \u003c=4.0.03.10.0\uff084.2.6\u7248\u672c\u5df2\u4fee\u590d\uff09",
      "Atlassian Jira Service Desk \u003c=4.3.03.10.0\uff084.3.5\u7248\u672c\u5df2\u4fee\u590d\uff09",
      "Atlassian Jira Service Desk \u003c=4.4.03.10.0\uff084.4.3\u7248\u672c\u5df2\u4fee\u590d\uff09",
      "Atlassian Jira Service Desk \u003c=4.5.03.10.0\uff084.5.1\u7248\u672c\u5df2\u4fee\u590d\uff09"
    ]
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2019-15004",
  "serverity": "\u4e2d",
  "submitTime": "2019-11-11",
  "title": "Atlassian Jira Service Desk Server\u548cAtlassian Jira Service Desk Data Center Customer Context Filter\u8def\u5f84\u904d\u5386\u6f0f\u6d1e"
}

CVE-2019-15004 (GCVE-0-2019-15004)

Vulnerability from cvelistv5 – Published: 2019-11-07 03:35 – Updated: 2024-09-16 23:15

Summary

The Customer Context Filter in Atlassian Jira Service Desk Server and Jira Service Desk Data Center before 3.9.17, from 3.10.0 before 3.16.10, from 4.0.0 before 4.2.6, from 4.3.0 before 4.3.5, from 4.4.0 before 4.4.3, and from 4.5.0 before 4.5.1 allows remote attackers with portal access to view arbitrary issues in Jira Service Desk projects via a path traversal vulnerability. Note that when the 'Anyone can email the service desk or raise a request in the portal' setting is enabled, an attacker can grant themselves portal access, allowing them to exploit the vulnerability.

Severity ?

No CVSS data available.

CWE

Path Traversal

Assigner

atlassian

References

URL

Tags

	https://jira.atlassian.com/browse/JSDSERVER-6589	x_refsource_MISC
	https://seclists.org/bugtraq/2019/Nov/9	mailing-listx_refsource_BUGTRAQ
	http://packetstormsecurity.com/files/155214/Jira-…	x_refsource_MISC

Impacted products

Vendor

Product

Version

Atlassian

Jira Service Desk Server

Affected: unspecified , < 3.9.17 (custom)
Affected: 3.10.0 , < unspecified (custom)
Affected: unspecified , < 3.16.10 (custom)
Affected: 4.0.0 , < unspecified (custom)
Affected: unspecified , < 4.2.6 (custom)
Affected: 4.3.0 , < unspecified (custom)
Affected: unspecified , < 4.3.5 (custom)
Affected: 4.4.0 , < unspecified (custom)
Affected: unspecified , < 4.4.3 (custom)
Affected: 4.5.0 , < unspecified (custom)
Affected: unspecified , < 4.5.1 (custom)

Atlassian

Jira Service Desk Data Center

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T00:34:52.994Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://jira.atlassian.com/browse/JSDSERVER-6589"
          },
          {
            "name": "20191108 Jira Service Desk Server and Jira Service Desk Data Center Security Advisory - 2019-11-06 - CVE-2019-15003, CVE-2019-15004",
            "tags": [
              "mailing-list",
              "x_refsource_BUGTRAQ",
              "x_transferred"
            ],
            "url": "https://seclists.org/bugtraq/2019/Nov/9"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "http://packetstormsecurity.com/files/155214/Jira-Service-Desk-Server-Data-Center-Path-Traversal.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Jira Service Desk Server",
          "vendor": "Atlassian",
          "versions": [
            {
              "lessThan": "3.9.17",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            },
            {
              "lessThan": "unspecified",
              "status": "affected",
              "version": "3.10.0",
              "versionType": "custom"
            },
            {
              "lessThan": "3.16.10",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            },
            {
              "lessThan": "unspecified",
              "status": "affected",
              "version": "4.0.0",
              "versionType": "custom"
            },
            {
              "lessThan": "4.2.6",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            },
            {
              "lessThan": "unspecified",
              "status": "affected",
              "version": "4.3.0",
              "versionType": "custom"
            },
            {
              "lessThan": "4.3.5",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            },
            {
              "lessThan": "unspecified",
              "status": "affected",
              "version": "4.4.0",
              "versionType": "custom"
            },
            {
              "lessThan": "4.4.3",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            },
            {
              "lessThan": "unspecified",
              "status": "affected",
              "version": "4.5.0",
              "versionType": "custom"
            },
            {
              "lessThan": "4.5.1",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "Jira Service Desk Data Center",
          "vendor": "Atlassian",
          "versions": [
            {
              "lessThan": "3.9.17",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            },
            {
              "lessThan": "unspecified",
              "status": "affected",
              "version": "3.10.0",
              "versionType": "custom"
            },
            {
              "lessThan": "3.16.10",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            },
            {
              "lessThan": "unspecified",
              "status": "affected",
              "version": "4.0.0",
              "versionType": "custom"
            },
            {
              "lessThan": "4.2.6",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            },
            {
              "lessThan": "unspecified",
              "status": "affected",
              "version": "4.3.0",
              "versionType": "custom"
            },
            {
              "lessThan": "4.3.5",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            },
            {
              "lessThan": "unspecified",
              "status": "affected",
              "version": "4.4.0",
              "versionType": "custom"
            },
            {
              "lessThan": "4.4.3",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            },
            {
              "lessThan": "unspecified",
              "status": "affected",
              "version": "4.5.0",
              "versionType": "custom"
            },
            {
              "lessThan": "4.5.1",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        }
      ],
      "datePublic": "2019-11-07T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "The Customer Context Filter in Atlassian Jira Service Desk Server and Jira Service Desk Data Center before 3.9.17, from 3.10.0 before 3.16.10, from 4.0.0 before 4.2.6, from 4.3.0 before 4.3.5, from 4.4.0 before 4.4.3, and from 4.5.0 before 4.5.1 allows remote attackers with portal access to view arbitrary issues in Jira Service Desk projects via a path traversal vulnerability. Note that when the \u0027Anyone can email the service desk or raise a request in the portal\u0027 setting is enabled, an attacker can grant themselves portal access, allowing them to exploit the vulnerability."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Path Traversal",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2019-11-08T17:06:31",
        "orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
        "shortName": "atlassian"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://jira.atlassian.com/browse/JSDSERVER-6589"
        },
        {
          "name": "20191108 Jira Service Desk Server and Jira Service Desk Data Center Security Advisory - 2019-11-06 - CVE-2019-15003, CVE-2019-15004",
          "tags": [
            "mailing-list",
            "x_refsource_BUGTRAQ"
          ],
          "url": "https://seclists.org/bugtraq/2019/Nov/9"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "http://packetstormsecurity.com/files/155214/Jira-Service-Desk-Server-Data-Center-Path-Traversal.html"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security@atlassian.com",
          "DATE_PUBLIC": "2019-11-07T00:00:00",
          "ID": "CVE-2019-15004",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Jira Service Desk Server",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c",
                            "version_value": "3.9.17"
                          },
                          {
                            "version_affected": "\u003e=",
                            "version_value": "3.10.0"
                          },
                          {
                            "version_affected": "\u003c",
                            "version_value": "3.16.10"
                          },
                          {
                            "version_affected": "\u003e=",
                            "version_value": "4.0.0"
                          },
                          {
                            "version_affected": "\u003c",
                            "version_value": "4.2.6"
                          },
                          {
                            "version_affected": "\u003e=",
                            "version_value": "4.3.0"
                          },
                          {
                            "version_affected": "\u003c",
                            "version_value": "4.3.5"
                          },
                          {
                            "version_affected": "\u003e=",
                            "version_value": "4.4.0"
                          },
                          {
                            "version_affected": "\u003c",
                            "version_value": "4.4.3"
                          },
                          {
                            "version_affected": "\u003e=",
                            "version_value": "4.5.0"
                          },
                          {
                            "version_affected": "\u003c",
                            "version_value": "4.5.1"
                          }
                        ]
                      }
                    },
                    {
                      "product_name": "Jira Service Desk Data Center",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c",
                            "version_value": "3.9.17"
                          },
                          {
                            "version_affected": "\u003e=",
                            "version_value": "3.10.0"
                          },
                          {
                            "version_affected": "\u003c",
                            "version_value": "3.16.10"
                          },
                          {
                            "version_affected": "\u003e=",
                            "version_value": "4.0.0"
                          },
                          {
                            "version_affected": "\u003c",
                            "version_value": "4.2.6"
                          },
                          {
                            "version_affected": "\u003e=",
                            "version_value": "4.3.0"
                          },
                          {
                            "version_affected": "\u003c",
                            "version_value": "4.3.5"
                          },
                          {
                            "version_affected": "\u003e=",
                            "version_value": "4.4.0"
                          },
                          {
                            "version_affected": "\u003c",
                            "version_value": "4.4.3"
                          },
                          {
                            "version_affected": "\u003e=",
                            "version_value": "4.5.0"
                          },
                          {
                            "version_affected": "\u003c",
                            "version_value": "4.5.1"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Atlassian"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "The Customer Context Filter in Atlassian Jira Service Desk Server and Jira Service Desk Data Center before 3.9.17, from 3.10.0 before 3.16.10, from 4.0.0 before 4.2.6, from 4.3.0 before 4.3.5, from 4.4.0 before 4.4.3, and from 4.5.0 before 4.5.1 allows remote attackers with portal access to view arbitrary issues in Jira Service Desk projects via a path traversal vulnerability. Note that when the \u0027Anyone can email the service desk or raise a request in the portal\u0027 setting is enabled, an attacker can grant themselves portal access, allowing them to exploit the vulnerability."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Path Traversal"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://jira.atlassian.com/browse/JSDSERVER-6589",
              "refsource": "MISC",
              "url": "https://jira.atlassian.com/browse/JSDSERVER-6589"
            },
            {
              "name": "20191108 Jira Service Desk Server and Jira Service Desk Data Center Security Advisory - 2019-11-06 - CVE-2019-15003, CVE-2019-15004",
              "refsource": "BUGTRAQ",
              "url": "https://seclists.org/bugtraq/2019/Nov/9"
            },
            {
              "name": "http://packetstormsecurity.com/files/155214/Jira-Service-Desk-Server-Data-Center-Path-Traversal.html",
              "refsource": "MISC",
              "url": "http://packetstormsecurity.com/files/155214/Jira-Service-Desk-Server-Data-Center-Path-Traversal.html"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
    "assignerShortName": "atlassian",
    "cveId": "CVE-2019-15004",
    "datePublished": "2019-11-07T03:35:38.947865Z",
    "dateReserved": "2019-08-13T00:00:00",
    "dateUpdated": "2024-09-16T23:15:47.761Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2019-40791

CVE-2019-15004 (GCVE-0-2019-15004)

Tags

Sightings

Nomenclature