First published: Fri Nov 08 2019(Updated: )
The Atlassian Troubleshooting and Support Tools plugin prior to version 1.17.2 allows an unprivileged user to initiate periodic log scans and send the results to a user-specified email address due to a missing authorization check. The email message may contain configuration information about the application that the plugin is installed into. A vulnerable version of the plugin is included with Bitbucket Server / Data Center before 6.6.0, Confluence Server / Data Center before 7.0.1, Jira Server / Data Center before 8.3.2, Crowd / Crowd Data Center before 3.6.0, Fisheye before 4.7.2, Crucible before 4.7.2, and Bamboo before 6.10.2.
Credit: security@atlassian.com
Affected Software | Affected Version | How to fix |
---|---|---|
Atlassian Troubleshooting and Support | <1.17.2 | |
Atlassian Bamboo | <6.10.2 | |
Atlassian Bitbucket | <6.6.0 | |
Atlassian Confluence | <7.0.1 | |
Atlassian Crowd | <3.6.0 | |
Atlassian Crucible | <4.7.2 | |
Atlassian FishEye | <4.7.2 | |
Atlassian JIRA | <8.3.2 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The vulnerability ID for this issue is CVE-2019-15005.
The severity of CVE-2019-15005 is medium with a CVSS score of 4.3.
The following Atlassian products are affected by CVE-2019-15005: Atlassian Troubleshooting and Support, Atlassian Bamboo, Atlassian Bitbucket, Atlassian Confluence, Atlassian Crowd, Atlassian Crucible, Atlassian FishEye, Atlassian JIRA.
An unprivileged user can exploit CVE-2019-15005 by initiating periodic log scans and sending the results to a user-specified email address.
Yes, a fix for CVE-2019-15005 is available in version 1.17.2 of the Atlassian Troubleshooting and Support Tools plugin.