CVE-2019-14999: CSRF
First published: Thu Aug 22 2019(Updated: )
The Uninstall REST endpoint in Atlassian Universal Plugin Manager before version 2.22.19, from version 3.0.0 before version 3.0.3 and from version 4.0.0 before version 4.0.3 allows remote attackers to uninstall plugins using a Cross-Site Request Forgery (CSRF) vulnerability on an authenticated administrator.
Credit: security@atlassian.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Atlassian Universal Plugin Manager | <2.22.19 | |
| Atlassian Universal Plugin Manager | >=3.0.0<3.0.3 | |
| Atlassian Universal Plugin Manager | >=4.0.0<4.0.3 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2019-14999?
CVE-2019-14999 has a moderate severity rating due to the potential for remote attackers to uninstall plugins via CSRF.
How do I fix CVE-2019-14999?
To fix CVE-2019-14999, you should upgrade to Atlassian Universal Plugin Manager version 2.22.19 or later, or version 3.0.3 or later.
What systems are affected by CVE-2019-14999?
CVE-2019-14999 affects Atlassian Universal Plugin Manager versions prior to 2.22.19, from 3.0.0 to 3.0.2, and from 4.0.0 to 4.0.2.
What type of vulnerability is CVE-2019-14999?
CVE-2019-14999 is a Cross-Site Request Forgery (CSRF) vulnerability.
Who can exploit CVE-2019-14999?
CVE-2019-14999 can be exploited by remote attackers with the ability to authenticate as an admin.
- collector/nvd-index
- agent/type
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/weakness
- agent/severity
- agent/last-modified-date
- agent/references
- agent/author
- agent/description
- agent/tags
- agent/first-publish-date
- agent/event
- agent/source
- vendor/atlassian
- canonical/atlassian universal plugin manager
- version/atlassian universal plugin manager/3.0.0
- version/atlassian universal plugin manager/4.0.0