Vulnerabilities > CVE-2019-8445 - Missing Authorization vulnerability in Atlassian Jira Server

CVSS 5.3 - MEDIUM

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

LOW

Integrity impact

NONE

Availability impact

NONE

network

low complexity

atlassian

CWE-862

nessus

NVD

Published: 2019-08-23

Updated: 2022-03-25

Summary

Several worklog rest resources in Jira before version 7.13.7, and from version 8.0.0 before version 8.3.2 allow remote attackers to view worklog time information via a missing permissions check.

Vulnerable Configurations

Part	Description	Count
Application	Atlassian Atlassian Jira Server 7.13.0 Atlassian Jira Server 7.13.1 Atlassian Jira Server 7.13.2 Atlassian Jira Server 7.13.3 Atlassian Jira Server 7.13.4 Atlassian Jira Server 7.13.5 Atlassian Jira Server 7.13.6 Atlassian Jira Server 8.0.0 Atlassian Jira Server 8.0.1 Atlassian Jira Server 8.0.2 Atlassian Jira Server 8.0.3 Atlassian Jira Server 8.0.4 Atlassian Jira Server 8.0.22 Atlassian Jira Server 8.1.0 Atlassian Jira Server 8.1.1 Atlassian Jira Server 8.1.2 Atlassian Jira Server 8.1.3 Atlassian Jira Server 8.2.0 Atlassian Jira Server 8.2.1 Atlassian Jira Server 8.2.2 Atlassian Jira Server 8.2.3 Atlassian Jira Server 8.2.4 Atlassian Jira Server 8.2.5 Atlassian Jira Server 8.2.6 Atlassian Jira Server 8.3.0 Atlassian Jira Server 8.3.1	26

Common Weakness Enumeration (CWE)

CWE-862 - Missing Authorization

Nessus

NASL family	CGI abuses
NASL id	JIRA_7_13_7.NASL
description	According to its self-reported version number, the instance of Atlassian JIRA hosted on the remote web server is prior to 7.3.17, or 8.0.x prior to 8.3.2. It is, therefore, affected by an information disclosure vulnerability. An authenticated, remote attacker can exploit this to disclose potentially sensitive information.
last seen	2020-06-01
modified	2020-06-02
plugin id	128324
published	2019-08-29
reporter	This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/128324
title	Atlassian JIRA worklog Information Disclosure
code	# # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(128324); script_version("1.4"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/07/28"); script_cve_id("CVE-2019-8445"); script_name(english:"Atlassian JIRA worklog Information Disclosure"); script_set_attribute(attribute:"synopsis", value: "The remote web server hosts a web application that is potentially affected by an information disclosure vulnerability."); script_set_attribute(attribute:"description", value: "According to its self-reported version number, the instance of Atlassian JIRA hosted on the remote web server is prior to 7.3.17, or 8.0.x prior to 8.3.2. It is, therefore, affected by an information disclosure vulnerability. An authenticated, remote attacker can exploit this to disclose potentially sensitive information."); script_set_attribute(attribute:"see_also", value:"https://jira.atlassian.com/browse/JRASERVER-69778"); script_set_attribute(attribute:"solution", value: "Upgrade to Atlassian JIRA version 7.13.7 / 8.3.2 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-8445"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"vuln_publication_date", value:"2019/08/09"); script_set_attribute(attribute:"patch_publication_date", value:"2019/08/09"); script_set_attribute(attribute:"plugin_publication_date", value:"2019/08/29"); script_set_attribute(attribute:"plugin_type", value:"combined"); script_set_attribute(attribute:"cpe", value:"cpe:/a:atlassian:jira"); script_set_attribute(attribute:"agent", value:"all"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"CGI abuses"); script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("jira_detect.nasl", "atlassian_jira_win_installed.nbin", "atlassian_jira_nix_installed.nbin"); script_require_keys("installed_sw/Atlassian JIRA"); exit(0); } include('vcf.inc'); app_info = vcf::combined_get_app_info(app:'Atlassian JIRA'); constraints = [ { 'fixed_version' : '7.13.7' }, { 'min_version' : '8.0.0', 'fixed_version' : '8.3.2' } ]; vcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_WARNING);

Talos

id	TALOS-2019-0840
last seen	2019-09-17
published	2019-09-16
reporter	Talos Intelligence
source	http://www.talosintelligence.com/vulnerability_reports/TALOS-2019-0840
title	Atlassian Jira Worklog Information Disclosure Vulnerability

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

Nessus

Talos

References