The Customer Context Filter in Atlassian Jira Service Desk Server and Jira Service Desk Data Center before version 3.9.16, from version 3.10.0 before version 3.16.8, from version 4.0.0 before version 4.1.3, from version 4.2.0 before version 4.2.5, from version 4.3.0 before version 4.3.4, and version 4.4.0 allows remote attackers with portal access to view arbitrary issues in Jira Service Desk projects via a path traversal vulnerability. Note that when the 'Anyone can email the service desk or raise a request in the portal' setting is enabled, an attacker can grant themselves portal access, allowing them to exploit the vulnerability.

According to its self-reported version number, the Atlassian Jira Service Desk application running on the remote host is prior to 3.9.16, 3.10.x prior to 3.16.8, 4.0.x prior to 4.1.3, 4.2.x prior to 4.2.5, 4.3.x prior to 4.3.4 or 4.4.x prior to 4.4.1. It is, therefore, affected by a path traversal vulnerability. An authenticated, remote attacker can exploit this to view all issues from all the projects in the affected instance.

Note that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.

According to its self-reported version number, the instance of  Atlassian Service Desk hosted on the remote web server is  prior to 3.9.16, 3.1x.x prior to 3.16.8, 4.0.x prior to 4.1.3, 4.2.x  prior to 4.2.5, 4.3.x prior to 4.3.4, 4.4.x prior to 4.4.1. It is,  therefore, affected by an url path traversal vulnerability  in Jira Service Desk Server and Jira Service Desk Data Center.  An authenticated, remote attacker can exploit this to view all  issues from all the projects in the affected instance.

ID	Name	Product	Family	Severity
98747	Atlassian Jira Service Desk 4.4.x < 4.4.1 Path Traversal Vulnerability	Web App Scanning	Component Vulnerability	high
98746	Atlassian Jira Service Desk 4.3.x < 4.3.4 Path Traversal Vulnerability	Web App Scanning	Component Vulnerability	high
98745	Atlassian Jira Service Desk 4.2.x < 4.2.5 Path Traversal Vulnerability	Web App Scanning	Component Vulnerability	high
98744	Atlassian Jira Service Desk 4.0.x < 4.1.3 Path Traversal Vulnerability	Web App Scanning	Component Vulnerability	high
98743	Atlassian Jira Service Desk 3.10.x < 3.16.8 Path Traversal Vulnerability	Web App Scanning	Component Vulnerability	high
98742	Atlassian Jira Service Desk < 3.9.16 Path Traversal Vulnerability	Web App Scanning	Component Vulnerability	high
129406	Atlassian JIRA Service Desk Path Traversal Vulnerability (2019-09-18)	Nessus	Windows	high
129405	Atlassian JIRA Service Desk Path Traversal Vulnerability (2019-09-18)	Nessus	CGI abuses	high

Detections

Analytics

CVE-2019-14994

high

Tenable Plugins

high

high

high

high

high

high

high

high