Context Filter in Atlassian Jira Service Desk Server and Jira Service Desk Data Center

http://kyleschen.com/tag/religion/ Overview :
The Customer Context Filter in Atlassian Jira Service Desk Server and Jira Service Desk Data Center before version 3.9.16, from version 3.10.0 before version 3.16.8, from version 4.0.0 before version 4.1.3, from version 4.2.0 before version 4.2.5, from version 4.3.0 before version 4.3.4, and version 4.4.0 allows remote attackers with portal access to view arbitrary issues in Jira Service Desk projects via a path traversal vulnerability. Note that when the ‘Anyone can email the service desk or raise a request in the portal’ setting is enabled, an attacker can grant themselves portal access, allowing them to exploit the vulnerability.
Kimitsu Affected Product(s) :
  • Jira Service Desk Server
  • Jira Service Desk Data Center
Vulnerability Details :
CVE ID : CVE-2019-14994
CVSS v3.1 Severity and Metrics. Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N (V3.1 legend)
Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) (CWE-22)
CVE ID : CVE-2019-15001
CVSS v2.0 Severity and Metrics. Vector: (AV:N/AC:L/Au:S/C:C/I:C/A:C) (V2 legend)
Improper Neutralization of Special Elements in Output Used by a Downstream Component (‘Injection’) (CWE-74)

Solution : fix using latest updates

 

Common Vulnerabilityies and Exposures

Contact us to get started

CVE-2023-4291 : Frauscher Sensortechnik FDS101 For FAdC 1.4.24 Code Injection

CVE-2023-4291 : Frauscher Sensortechnik FDS101 For FAdC 1.4.24 Code Injection

Description Frauscher Sensortechnik GmbH FDS101 for FAdC/FAdCi v1.4.24 and all previous versions are vulnerable to a remote code execution (RCE)

CVE-2023-2163 : Linux Kernel 5.4 BPF kernel/bpf/verifier.c backtrack_insn calculation

CVE-2023-2163 : Linux Kernel 5.4 BPF kernel/bpf/verifier.c backtrack_insn calculation

Description Incorrect verifier pruning in BPF in Linux Kernel >=5.4 leads to unsafe code paths being incorrectly marked as safe,

CVE-2023-42454 : SQLpage Up To 0.11.0 Database Connection String sqlpage/sqlpage.json Information Disclosure

CVE-2023-42454 : SQLpage Up To 0.11.0 Database Connection String sqlpage/sqlpage.json Information Disclosure

Description SQLpage is a SQL-only webapp builder. Someone using SQLpage versions prior to 0.11.1, whose SQLpage instance is exposed publicly,