Cross-Site Request Forgery Vulnerability in Atlassian Application Links Plugin
CVE-2019-20100

4.7MEDIUM

Key Information:

Vendor
Atlassian
Status
Application Links
Jira Server
Vendor
CVE Published:
12 February 2020

Summary

The Atlassian Application Links plugin has a vulnerability that allows for cross-site request forgery (CSRF) attacks, affecting various versions of the plugin and its integration with Jira Server and Data Center. An attacker could potentially exploit the vulnerability by tricking an authorized administrator into submitting a malicious HTTP request. This could enable the attacker to access sensitive information, manage hosts, and open ports within the internal network where the Jira Server is deployed, thereby compromising the integrity and confidentiality of the environment.

Affected Version(s)

Application Links < 5.4.21

Application Links 6.0.0

Application Links < 6.0.12

References

https://www.tenable.com/security/research/tra-2020-06
x_refsource_MISC
https://ecosystem.atlassian.net/browse/APL-1390
x_refsource_MISC
https://jira.atlassian.com/browse/JRASERVER-70607
x_refsource_MISC

CVSS V3.1

Score:
4.7
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.