Vulnerability Details CVE-2019-14994
The Customer Context Filter in Atlassian Jira Service Desk Server and Jira Service Desk Data Center before version 3.9.16, from version 3.10.0 before version 3.16.8, from version 4.0.0 before version 4.1.3, from version 4.2.0 before version 4.2.5, from version 4.3.0 before version 4.3.4, and version 4.4.0 allows remote attackers with portal access to view arbitrary issues in Jira Service Desk projects via a path traversal vulnerability. Note that when the 'Anyone can email the service desk or raise a request in the portal' setting is enabled, an attacker can grant themselves portal access, allowing them to exploit the vulnerability.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.017
EPSS Ranking 81.4%
CVSS Severity
CVSS v3 Score 7.5
CVSS v2 Score 4.3
References
- http://packetstormsecurity.com/files/154574/Jira-Service-Desk-Server-And-Data-Center-Path-Traversal.html
- https://jira.atlassian.com/browse/JSDSERVER-6517
- https://samcurry.net/analysis-of-cve-2019-14994/
- https://seclists.org/bugtraq/2019/Sep/39
- http://packetstormsecurity.com/files/154574/Jira-Service-Desk-Server-And-Data-Center-Path-Traversal.html
- https://jira.atlassian.com/browse/JSDSERVER-6517
- https://samcurry.net/analysis-of-cve-2019-14994/
- https://seclists.org/bugtraq/2019/Sep/39
Products affected by CVE-2019-14994
-
cpe:2.3:a:atlassian:jira_service_desk:-
-
cpe:2.3:a:atlassian:jira_service_desk:3.0.0
-
cpe:2.3:a:atlassian:jira_service_desk:3.0.10
-
cpe:2.3:a:atlassian:jira_service_desk:3.0.11
-
cpe:2.3:a:atlassian:jira_service_desk:3.0.2
-
cpe:2.3:a:atlassian:jira_service_desk:3.0.3
-
cpe:2.3:a:atlassian:jira_service_desk:3.0.4
-
cpe:2.3:a:atlassian:jira_service_desk:3.0.5
-
cpe:2.3:a:atlassian:jira_service_desk:3.0.9
-
cpe:2.3:a:atlassian:jira_service_desk:3.1.0
-
cpe:2.3:a:atlassian:jira_service_desk:3.1.1
-
cpe:2.3:a:atlassian:jira_service_desk:3.1.10
-
cpe:2.3:a:atlassian:jira_service_desk:3.1.2
-
cpe:2.3:a:atlassian:jira_service_desk:3.1.4
-
cpe:2.3:a:atlassian:jira_service_desk:3.1.5
-
cpe:2.3:a:atlassian:jira_service_desk:3.1.6
-
cpe:2.3:a:atlassian:jira_service_desk:3.1.7
-
cpe:2.3:a:atlassian:jira_service_desk:3.1.8
-
cpe:2.3:a:atlassian:jira_service_desk:3.1.9
-
cpe:2.3:a:atlassian:jira_service_desk:3.10.0
-
cpe:2.3:a:atlassian:jira_service_desk:3.10.1
-
cpe:2.3:a:atlassian:jira_service_desk:3.10.2
-
cpe:2.3:a:atlassian:jira_service_desk:3.10.3
-
cpe:2.3:a:atlassian:jira_service_desk:3.10.4
-
cpe:2.3:a:atlassian:jira_service_desk:3.11.0
-
cpe:2.3:a:atlassian:jira_service_desk:3.11.1
-
cpe:2.3:a:atlassian:jira_service_desk:3.11.2
-
cpe:2.3:a:atlassian:jira_service_desk:3.11.3
-
cpe:2.3:a:atlassian:jira_service_desk:3.11.4
-
cpe:2.3:a:atlassian:jira_service_desk:3.12.0
-
cpe:2.3:a:atlassian:jira_service_desk:3.12.1
-
cpe:2.3:a:atlassian:jira_service_desk:3.12.2
-
cpe:2.3:a:atlassian:jira_service_desk:3.13.0
-
cpe:2.3:a:atlassian:jira_service_desk:3.13.1
-
cpe:2.3:a:atlassian:jira_service_desk:3.13.2
-
cpe:2.3:a:atlassian:jira_service_desk:3.14.0
-
cpe:2.3:a:atlassian:jira_service_desk:3.14.1
-
cpe:2.3:a:atlassian:jira_service_desk:3.14.2
-
cpe:2.3:a:atlassian:jira_service_desk:3.15.0
-
cpe:2.3:a:atlassian:jira_service_desk:3.15.1
-
cpe:2.3:a:atlassian:jira_service_desk:3.15.2
-
cpe:2.3:a:atlassian:jira_service_desk:3.15.3
-
cpe:2.3:a:atlassian:jira_service_desk:3.16.0
-
cpe:2.3:a:atlassian:jira_service_desk:3.16.1
-
cpe:2.3:a:atlassian:jira_service_desk:3.16.2
-
cpe:2.3:a:atlassian:jira_service_desk:3.16.3
-
cpe:2.3:a:atlassian:jira_service_desk:3.16.4
-
cpe:2.3:a:atlassian:jira_service_desk:3.16.5
-
cpe:2.3:a:atlassian:jira_service_desk:3.16.6
-
cpe:2.3:a:atlassian:jira_service_desk:3.16.7
-
cpe:2.3:a:atlassian:jira_service_desk:3.2.0
-
cpe:2.3:a:atlassian:jira_service_desk:3.2.1
-
cpe:2.3:a:atlassian:jira_service_desk:3.2.10
-
cpe:2.3:a:atlassian:jira_service_desk:3.2.11
-
cpe:2.3:a:atlassian:jira_service_desk:3.2.12
-
cpe:2.3:a:atlassian:jira_service_desk:3.2.13
-
cpe:2.3:a:atlassian:jira_service_desk:3.2.14
-
cpe:2.3:a:atlassian:jira_service_desk:3.2.15
-
cpe:2.3:a:atlassian:jira_service_desk:3.2.2
-
cpe:2.3:a:atlassian:jira_service_desk:3.2.3
-
cpe:2.3:a:atlassian:jira_service_desk:3.2.4
-
cpe:2.3:a:atlassian:jira_service_desk:3.2.5
-
cpe:2.3:a:atlassian:jira_service_desk:3.2.6
-
cpe:2.3:a:atlassian:jira_service_desk:3.2.7
-
cpe:2.3:a:atlassian:jira_service_desk:3.2.8
-
cpe:2.3:a:atlassian:jira_service_desk:3.2.9
-
cpe:2.3:a:atlassian:jira_service_desk:3.3.0
-
cpe:2.3:a:atlassian:jira_service_desk:3.3.1
-
cpe:2.3:a:atlassian:jira_service_desk:3.3.2
-
cpe:2.3:a:atlassian:jira_service_desk:3.4.0
-
cpe:2.3:a:atlassian:jira_service_desk:3.4.1
-
cpe:2.3:a:atlassian:jira_service_desk:3.4.2
-
cpe:2.3:a:atlassian:jira_service_desk:3.5.0
-
cpe:2.3:a:atlassian:jira_service_desk:3.5.1
-
cpe:2.3:a:atlassian:jira_service_desk:3.5.2
-
cpe:2.3:a:atlassian:jira_service_desk:3.5.3
-
cpe:2.3:a:atlassian:jira_service_desk:3.6.0
-
cpe:2.3:a:atlassian:jira_service_desk:3.6.1
-
cpe:2.3:a:atlassian:jira_service_desk:3.6.2
-
cpe:2.3:a:atlassian:jira_service_desk:3.6.3
-
cpe:2.3:a:atlassian:jira_service_desk:3.6.4
-
cpe:2.3:a:atlassian:jira_service_desk:3.7.0
-
cpe:2.3:a:atlassian:jira_service_desk:3.7.1
-
cpe:2.3:a:atlassian:jira_service_desk:3.7.2
-
cpe:2.3:a:atlassian:jira_service_desk:3.8.0
-
cpe:2.3:a:atlassian:jira_service_desk:3.8.1
-
cpe:2.3:a:atlassian:jira_service_desk:3.8.2
-
cpe:2.3:a:atlassian:jira_service_desk:3.8.3
-
cpe:2.3:a:atlassian:jira_service_desk:3.8.4
-
cpe:2.3:a:atlassian:jira_service_desk:3.8.5
-
cpe:2.3:a:atlassian:jira_service_desk:3.9.0
-
cpe:2.3:a:atlassian:jira_service_desk:3.9.1
-
cpe:2.3:a:atlassian:jira_service_desk:3.9.10
-
cpe:2.3:a:atlassian:jira_service_desk:3.9.11
-
cpe:2.3:a:atlassian:jira_service_desk:3.9.12
-
cpe:2.3:a:atlassian:jira_service_desk:3.9.13
-
cpe:2.3:a:atlassian:jira_service_desk:3.9.14
-
cpe:2.3:a:atlassian:jira_service_desk:3.9.15
-
cpe:2.3:a:atlassian:jira_service_desk:3.9.2
-
cpe:2.3:a:atlassian:jira_service_desk:3.9.3
-
cpe:2.3:a:atlassian:jira_service_desk:3.9.4
-
cpe:2.3:a:atlassian:jira_service_desk:3.9.5
-
cpe:2.3:a:atlassian:jira_service_desk:3.9.6
-
cpe:2.3:a:atlassian:jira_service_desk:3.9.7
-
cpe:2.3:a:atlassian:jira_service_desk:3.9.8
-
cpe:2.3:a:atlassian:jira_service_desk:3.9.9
-
cpe:2.3:a:atlassian:jira_service_desk:4.0.0
-
cpe:2.3:a:atlassian:jira_service_desk:4.0.1
-
cpe:2.3:a:atlassian:jira_service_desk:4.0.2
-
cpe:2.3:a:atlassian:jira_service_desk:4.0.3
-
cpe:2.3:a:atlassian:jira_service_desk:4.1.0
-
cpe:2.3:a:atlassian:jira_service_desk:4.1.1
-
cpe:2.3:a:atlassian:jira_service_desk:4.1.2
-
cpe:2.3:a:atlassian:jira_service_desk:4.2.0
-
cpe:2.3:a:atlassian:jira_service_desk:4.2.1
-
cpe:2.3:a:atlassian:jira_service_desk:4.2.2
-
cpe:2.3:a:atlassian:jira_service_desk:4.2.3
-
cpe:2.3:a:atlassian:jira_service_desk:4.2.4
-
cpe:2.3:a:atlassian:jira_service_desk:4.3.0
-
cpe:2.3:a:atlassian:jira_service_desk:4.3.1
-
cpe:2.3:a:atlassian:jira_service_desk:4.3.2
-
cpe:2.3:a:atlassian:jira_service_desk:4.3.3
-
cpe:2.3:a:atlassian:jira_service_desk:4.4.0