CVE-2019-20100

4.7MEDIUM

Key Information:

Vendor
Atlassian
Status
Application Links
Jira Server
Vendor
CVE Published:
12 February 2020

Summary

The Atlassian Application Links plugin is vulnerable to cross-site request forgery (CSRF). The following versions are affected: all versions prior to 5.4.21, from version 6.0.0 before version 6.0.12, from version 6.1.0 before version 6.1.2, from version 7.0.0 before version 7.0.2, and from version 7.1.0 before version 7.1.3. The vulnerable plugin is used by Atlassian Jira Server and Data Center before version 8.7.0. An attacker could exploit this by tricking an administrative user into making malicious HTTP requests, allowing the attacker to enumerate hosts and open ports on the internal network where Jira server is present.

Affected Version(s)

Application Links < 5.4.21

Application Links 6.0.0

Application Links < 6.0.12

References

https://www.tenable.com/security/research/tra-2020-06
x_refsource_MISC
https://ecosystem.atlassian.net/browse/APL-1390
x_refsource_MISC
https://jira.atlassian.com/browse/JRASERVER-70607
x_refsource_MISC

CVSS V3.1

Score:
4.7
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.