Lucene search

Security-metrics-botJRASERVER-70605

HistoryFeb 05, 2020 - 4:02 p.m.

CSRF in VerifySmtpServerConnection!add.jspa - CVE-2019-20098

2020-02-0516:02:41

security-metrics-bot

jira.atlassian.com

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:N/A:N

CVSS3

4.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

EPSS

0.001

Percentile

35.3%

JSON

The VerifySmtpServerConnection!add.jspa component in Atlassian Jira Server and Data Center before version 8.7.0 is vulnerable to cross-site request forgery (CSRF). An attacker could exploit this by tricking an administrative user into making malicious HTTP requests, allowing the attacker to enumerate hosts and open ports on the internal network where Jira server is present.

Affected configurations

Vulners

Node

atlassianjira_data_centerRange≤7.6.15

atlassianjira_data_centerRange<8.7.0

atlassianjira_data_centerRange<8.5.4

VendorProductVersionCPE
atlassianjira_data_center*cpe:2.3:a:atlassian:jira_data_center:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
atlassian	jira_data_center	*	cpe:2.3:a:atlassian:jira_data_center::::::::

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:N/A:N

CVSS3

4.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

EPSS

0.001

Percentile

35.3%

JSON

Related for JRASERVER-70605