← Back

CVE-2019-20100

nvd nist
Published: Feb 12, 2020Modified: Nov 21, 2024

JSON object

Loading...
4.7
Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N
Exploitability: 2.8 / Impact: 1.4
Source: NVD

Description

The Atlassian Application Links plugin is vulnerable to cross-site request forgery (CSRF). The following versions are affected: all versions prior to 5.4.21, from version 6.0.0 before version 6.0.12, from version 6.1.0 before version 6.1.2, from version 7.0.0 before version 7.0.2, and from version 7.1.0 before version 7.1.3. The vulnerable plugin is used by Atlassian Jira Server and Data Center before version 8.7.0. An attacker could exploit this by tricking an administrative user into making malicious HTTP requests, allowing the attacker to enumerate hosts and open ports on the internal network where Jira server is present.

Affected (4)

Atlassian
3 products
Jira
Jira Data Center
Jira Server
Configuration A
4 vulnerable
Vulnerable SoftwareAffected Versions
Jira
From 7.0.0 to 8.4.5
Atlassian
Jira Data Center
From 7.0.0 to 8.5.4
Jira Data Center
From 8.5.5 to 8.6.2
Jira Server
From 8.5.5 to 8.6.2

Related CWEs

CWE-352
Cross-Site Request Forgery (CSRF)
The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

References (6)

Source: security@atlassian.com
Vendor Advisory
Source: security@atlassian.com
Issue TrackingVendor Advisory
Source: security@atlassian.com
ExploitThird Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Vendor Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Issue TrackingVendor Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
ExploitThird Party Advisory

Timeline

No history available yet.