PT-2020-10341 · Atlassian · Application Links Plugin+1
Published
2020-03-17
·
Updated
2020-08-24
·
CVE-2019-20105
CVSS v3.1
4.9
Medium
| Vector | AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N |
Name of the Vulnerable Software and Affected Versions
Atlassian Application Links plugin versions 5.4.19 and earlier
Atlassian Application Links plugin versions 6.0.0 through 6.0.11
Atlassian Application Links plugin versions 6.1.0 through 6.1.1
Atlassian Application Links plugin versions 7.0.0
Atlassian Application Links plugin versions 7.1.0 through 7.1.2
Description
The issue allows remote attackers who have obtained access to an administrator's session to access the EditApplinkServlet resource without needing to re-authenticate, passing "WebSudo" in products that support it, due to an improper access control vulnerability.
Recommendations
For Atlassian Application Links plugin versions 5.4.19 and earlier, update to version 5.4.20 or later.
For Atlassian Application Links plugin versions 6.0.0 through 6.0.11, update to version 6.0.12 or later.
For Atlassian Application Links plugin versions 6.1.0 through 6.1.1, update to version 6.1.2 or later.
For Atlassian Application Links plugin version 7.0.0, update to version 7.0.1 or later.
For Atlassian Application Links plugin versions 7.1.0 through 7.1.2, update to version 7.1.3 or later.
Fix
Missing Authentication
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Application Links Plugin
Jira