Urgent: Critical Vulnerability Found in Jira Service Desk Products

On Wednesday September 18, 2019, Atlassian announced a critical “URL path traversal allows information disclosure” vulnerability in Jira Service Desk Server and Jira Service Desk Data Center. By design, Jira Service Desk gives Customer Portal users permission only to raise requests and view issues. This allows users to interact with the Customer Portal without having direct access to the Jira Agent view for the Project, other Projects or other underlying functions in Jira. These restrictions can be bypassed by a remote attacker with Jira Service Desk Customer Portal access who exploits a path traversal vulnerability. Note that attackers can grant themselves access to Jira Service Desk projects that have the Anyone can email the service desk or raise a request in the portal setting enabled. Exploitation allows an attacker to view all issues within all Jira projects contained in the vulnerable instance. This could include Jira Service Desk projects, Jira Core projects, and Jira Software projects.

What you need to know…

  • Versions affected:
    • All versions earlier than 3.9.15
    • 3.10. – 3.16.7
    • 4.0.0 – 4.1.2
    • 4.2.0 – 4.2.4
    • 4.3.0 – 4.3.3
    • 4.4.0
  • Versions already fixed:
    • 3.9.16
    • 3.16.8
    • 4.1.3
    • 4.2.5
    • 4.3.4
    • 4.4.1
  • Location and description of vulnerability: This vulnerability allows an attacker with login access to the Customer Portal in Jira Service Desk to view other Jira content and functions that should normally not be allowed.
  • Recommended action: Implement the short term workaround immediately and upgrade to a non-vulnerable version as soon as possible.
  • Short-term workaround: If you can’t upgrade immediately, we recommend that you do the following as a workaround until an upgrade can be performed.
  1. Stop Jira Service Desk
  2. Add the following to the <urlrewrite>section of[jira-installation-directory]/atlassian-jira/WEB-INF/urlrewrite.xml:
    <rule>
        <from>^/[^?]*\.\..*$</from>
        <to type="temporary-redirect">/</to>
    </rule>
  3. Restart Jira Service Desk

References:

Atlassian Bug
CVE Article