PT-2020-10338 · Atlassian · Jira+1
Published
2020-02-12
·
Updated
2022-03-30
·
CVE-2019-20100
CVSS v3.1
4.7
Medium
| Vector | AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Atlassian Application Links plugin versions prior to 5.4.21
Atlassian Application Links plugin versions 6.0.0 through 6.0.11
Atlassian Application Links plugin versions 6.1.0 through 6.1.1
Atlassian Application Links plugin versions 7.0.0 through 7.0.1
Atlassian Application Links plugin versions 7.1.0 through 7.1.2
Atlassian Jira Server and Data Center versions prior to 8.7.0
Description
The Atlassian Application Links plugin is vulnerable to cross-site request forgery (CSRF). An attacker could exploit this by tricking an administrative user into making malicious HTTP requests, allowing the attacker to enumerate hosts and open ports on the internal network where Jira server is present.
Recommendations
For Atlassian Application Links plugin versions prior to 5.4.21, update to version 5.4.21 or later.
For Atlassian Application Links plugin versions 6.0.0 through 6.0.11, update to version 6.0.12 or later.
For Atlassian Application Links plugin versions 6.1.0 through 6.1.1, update to version 6.1.2 or later.
For Atlassian Application Links plugin versions 7.0.0 through 7.0.1, update to version 7.0.2 or later.
For Atlassian Application Links plugin versions 7.1.0 through 7.1.2, update to version 7.1.3 or later.
For Atlassian Jira Server and Data Center versions prior to 8.7.0, update to version 8.7.0 or later.
Exploit
Fix
CSRF
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Application Links Plugin
Jira