CVE-2019-14994: Path Traversal
First published: Thu Sep 19 2019(Updated: )
The Customer Context Filter in Atlassian Jira Service Desk Server and Jira Service Desk Data Center before version 3.9.16, from version 3.10.0 before version 3.16.8, from version 4.0.0 before version 4.1.3, from version 4.2.0 before version 4.2.5, from version 4.3.0 before version 4.3.4, and version 4.4.0 allows remote attackers with portal access to view arbitrary issues in Jira Service Desk projects via a path traversal vulnerability. Note that when the 'Anyone can email the service desk or raise a request in the portal' setting is enabled, an attacker can grant themselves portal access, allowing them to exploit the vulnerability.
Credit: security@atlassian.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Atlassian Jira Service Desk | <3.9.16 | |
| Atlassian Jira Service Desk | <3.9.16 | |
| Atlassian Jira Service Desk | >=3.10.0<3.16.8 | |
| Atlassian Jira Service Desk | >=3.10.0<3.16.8 | |
| Atlassian Jira Service Desk | >=4.0.0<4.1.3 | |
| Atlassian Jira Service Desk | >=4.0.0<4.1.3 | |
| Atlassian Jira Service Desk | >=4.2.0<4.2.5 | |
| Atlassian Jira Service Desk | >=4.2.0<4.2.5 | |
| Atlassian Jira Service Desk | >=4.3.0<4.3.4 | |
| Atlassian Jira Service Desk | >=4.3.0<4.3.4 | |
| Atlassian Jira Service Desk | =4.4.0 | |
| Atlassian Jira Service Desk | =4.4.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is CVE-2019-14994?
CVE-2019-14994 is a vulnerability in Atlassian Jira Service Desk Server and Jira Service Desk Data Center that allows path traversal.
What is the severity of CVE-2019-14994?
CVE-2019-14994 has a severity level of high (7.5).
Which versions of Atlassian Jira Service Desk are affected by CVE-2019-14994?
Atlassian Jira Service Desk Server and Jira Service Desk Data Center before version 3.9.16, from version 3.10.0 before version 3.16.8, from version 4.0.0 before version 4.1.3, from version 4.2.0 before version 4.2.5, from version 4.3.0 before version 4.3.4, and version 4.4.0 are affected by CVE-2019-14994.
How does CVE-2019-14994 allow path traversal?
CVE-2019-14994 allows an attacker to traverse directories and access files outside the scope of the intended directory.
Where can I find more information about CVE-2019-14994?
More information about CVE-2019-14994 can be found at the following references: [1] [2] [3].
- collector/nvd-index
- agent/severity
- agent/author
- agent/references
- agent/weakness
- agent/type
- agent/tags
- agent/event
- agent/description
- agent/last-modified-date
- agent/softwarecombine
- agent/first-publish-date
- collector/mitre-cve
- source/MITRE
- vendor/atlassian
- canonical/atlassian jira service desk
- version/atlassian jira service desk/3.10.0
- version/atlassian jira service desk/4.0.0
- version/atlassian jira service desk/4.2.0
- version/atlassian jira service desk/4.3.0
- version/atlassian jira service desk/4.4.0