CVE-2019-14994: URL Path Traversal Vulnerability in Jira Service Desk Leads to Information Disclosure
Path traversal flaw in Jira Service Desk can be used by attackers to view protected information in Jira projects.
Background
On September 18, Atlassian published a security advisory for a vulnerability in Jira Service Desk, an IT ticketing application used by over 25,000 organizations to accept, manage and track requests from customers and employees through a web portal.
Tenable Research has identified many publicly accessible Jira Service Desk instances belonging to organizations in healthcare, government, education and manufacturing in the United States, Canada, Europe and Australia. The following is a screenshot of search engine results listing publicly accessible Jira Service Desk portals.
In related news, Atlassian has also released a security advisory for CVE-2019-15001, an authenticated template injection vulnerability in the Jira Importers Plugin for Jira Server reported by security researcher Daniil Dmitriev. Dmitriev discovered and reported another template injection vulnerability, CVE-2019-11581, back in July.
분석
CVE-2019-14994 is a URL path traversal vulnerability in Jira Service Desk and Jira Service Desk Data Center. By default, the ticketing system restricts customers’ or employees’ access to certain privileges, such as opening new requests or viewing existing requests without accessing the company’s Jira instance directly.
According to the advisory, an attacker with access to the web portal can send a specially crafted request to the Jira Service Desk portal to bypass these restrictions and view protected information. In order to exploit the vulnerability, the Customer Permissions settings for who can raise a request must be set to “Anyone can email the service desk or raise a request in the portal,” which may be a common configuration because the other two options limit who can open requests. In addition to viewing protected information within Jira Service Desk, an attacker could also view protected information from Jira Software and Jira Core if the “Browse Project” permission is set to Group - Anyone.
While full details about the vulnerability are not public at this time, Sam Curry, the researcher who discovered the vulnerability, tweeted that he plans to publish more details, including a proof-of-concept (PoC), soon. Curry also credited DEVCORE researcher Orange Tsai’s previous work, which stems from a Black Hat and DEFCON presentation from 2018 called “Breaking Parser Logic! Taking Your Path Normalization off and Pop 0days Out.”
Researcher Sam Curry responds to Orange Tsai on Twitter
Curry confirmed to Tsai his findings are linked to Tsai’s example of accessing Uber’s internal Jira server, appending “..;” to the URL path parameter, which gets treated as a parent directory. Atlassian appears to confirm this in its knowledgebase article for the vulnerability.
Slide deck from Orange Tsai’s Black Hat presentation on accessing Uber’s internal Jira server
Proof of concept
While there was no PoC available when this blog was published, the researcher plans to release a PoC soon.
Solution
Atlassian has released updated versions of Jira Service Desk Server and Jira Service Desk Data Center to address this vulnerability. The following table contains the list of vulnerable versions with the associated fixed versions.
| Affected Version | Fixed Version |
|---|---|
| 3.9.16 and prior | 3.9.16 or 3.16.8 |
| 3.10.0 through 3.16.7 | 3.16.8 |
| 4.0.0 through 4.1.2 | 4.1.3 |
| 4.2.0 through 4.2.4 | 4.2.5 |
| 4.3.0 through 4.3.3 | 4.3.4 |
| 4.4.0 | 4.4.1 |
Fixed versions can be retrieved from Atlassian’s Service Desk update page.
If upgrading to a patched version of Jira Service Desk Server or Service Desk Center is not feasible at this time, Atlassian has also provided temporary workarounds to thwart attacks.
Organizations using Jira Service Desk Server or Service Desk Center should consider patching as soon as possible ahead of the release of a PoC and exploit attempts from attackers.
Identifying affected systems
A list of Tenable plugins to identify this vulnerability will appear here as they’re released.
Get more information
Join Tenable's Security Response Team on the Tenable Community.
Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.
Get a free 60-day trial of Tenable.io Vulnerability Management.
관련 기사
Kinsing Malware Hides Itself as a Manual Page and Targets Cloud Servers
May 16, 2024Tenable Cloud Security Research Team has recently discovered that Kinsing malware, known for targeting Linux-based cloud infrastructures, exploits Apache Tomcat servers with new advanced stealth techniques. Explore our analysis and the indicators of compromise in this report.
Cybersecurity Snapshot: Find MITRE ATT&CK Complex? Need Help Mapping to It? There’s an App for That!
March 10, 2023Learn about a new tool that streamlines MITRE ATT&CK mapping. Plus, known vulnerabilities remain a major cyber risk – just ask LastPass. Also, discover why SaaS data protection remains difficult. Plus, a look at the U.S. National Cybersecurity Strategy. And much more!
The Ransomware Ecosystem: In Pursuit of Fame and Fortune
July 28, 2022The key players within the ransomware ecosystem, including affiliates and initial access brokers, work together cohesively like a band of musicians, playing their respective parts as they strive for fame and fortune.
Cybersecurity Snapshot: CISA Warns Hospitals about Black Basta, as Tenable Study Finds Cloud-Related Breaches Pervasive
May 17, 2024Find out why healthcare organizations must beware of the Black Basta ransomware group. Meanwhile, a Tenable study found that 95% of surveyed organizations suffered a cloud-related breach, and offers insights for boosting cloud security. Plus, a Cloud Security Alliance report delves into how AI systems can create risky gaps in your cloud environment. And much more!
Kinsing Malware Hides Itself as a Manual Page and Targets Cloud Servers
May 16, 2024Tenable Cloud Security Research Team has recently discovered that Kinsing malware, known for targeting Linux-based cloud infrastructures, exploits Apache Tomcat servers with new advanced stealth techniques. Explore our analysis and the indicators of compromise in this report.
Microsoft’s May 2024 Patch Tuesday Addresses 59 CVEs (CVE-2024-30051, CVE-2024-30040)
May 14, 2024Microsoft addresses 59 CVEs in its May 2024 Patch Tuesday release with one critical vulnerability and three zero-day vulnerabilities, two of which were exploited in the wild.
- Threat Intelligence
- Threat Management
- Vulnerability Management
- Vulnerability Scanning