Atlassian released security updates to address critical vulnerabilities in Jira Service Desk and Jira Service Desk Data Center. One of the flaw can lead to information disclosure, while another critical vulnerability addressed by Atlassian could allow server-side template injection leading to remote code execution. The Jira Service Desk is a help desk request tracker brought to you by Atlassian that allows companies to easily receive, track, manage, and resolve requests from your team’s customers.
The first vulnerability affecting Service Desk and Service Desk Data Center is a URL path traversal.
The flaw, tracked as CVE-2019-14994, could lead to information disclosure, it could be exploited by anyone with access to the portal, including customers. The vulnerability has been discovered by the security researcher Sam Curry.
“Affected JIRA Service Desk versions in CVE-2019-14994 will allow
“This allows Service Desk Customers who normally don’t have access to tickets that are not their own to view details of tickets contained in the XML generated results in all JIRA Service Desk projects.”
An attacker could exploit the flaw to view all issues within all Jira projects contained in the vulnerable installation, including Service Desk projects, Jira Core projects, and Jira Software projects.
The security researchers Satnam Narang of Tenable reported that tens of thousands of installs are exposed online, the IT ticketing application is widely adopted in several sectors including the healthcare, government, education and manufacturing industry.
“According to the advisory, an attacker with access to the web portal can send a specially crafted request to the Jira Service Desk portal to bypass these restrictions and view protected information. In order to exploit the vulnerability, the Customer Permissions settings for who can raise a request must be set to “Anyone can email the service desk or raise a request in the portal,” which may be a common configuration because the other two options limit who can open requests.” reported Tenable. “In addition to viewing protected information within Jira Service Desk, an attacker could also view protected information from Jira Software and Jira Core if the “Browse Project” permission is set to Group – Anyone.”
The following versions of Service Desk Server and Service Desk Data Center address the CVE-2019-14994: 3.9.16, 3.16.8, 4.1.3, 4.2.5, 4.3.4, and 4.4.1.
A possible workaround consists of blocking requests to JIRA containing ‘..’ at the reverse proxy or
<rule> <from>^/[^?]*\.\..*$</from> <to type="temporary-redirect">/</to> </rule>
The second critical flaw addressed by Atlassian is a Template injection issue in Jira Importers Plugin.
The flaw tracked as CVE-2019-15001 affects version 7.0.10 of
“There was a server-side template injection vulnerability in Jira Server and Data Center, in the Jira Importers Plugin (JIM). An attacker with “JIRA Administrators” access can exploit this issue. Successful exploitation of this issue allows an attacker to remotely execute code on systems that run a vulnerable version of Jira Server or Data Center.” reads the security advisory.
The vulnerability was reported by the researcher Daniil Dimitriev, it affects versions of the product start from 7.0.10 and include the following: