CVE-2019-15005

The Atlassian Troubleshooting and Support Tools plugin prior to version 1.17.2 allows an unprivileged user to initiate periodic log scans and send the results to a user-specified email address due to a missing authorization check. The email message may contain configuration information about the application that the plugin is installed into. A vulnerable version of the plugin is included with Bitbucket Server / Data Center before 6.6.0, Confluence Server / Data Center before 7.0.1, Jira Server / Data Center before 8.3.2, Crowd / Crowd Data Center before 3.6.0, Fisheye before 4.7.2, Crucible before 4.7.2, and Bamboo before 6.10.2.

CVSS v3 4.3 MEDIUM
CVSS v2.0 4.0 MEDIUM

4.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

4.0^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:L/Au:S/C:P/I:N/A:N

Exploitability : 8.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication SINGLE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
https://herolab.usd.de/security-advisories/usd-2019-0016/
https://jira.atlassian.com/browse/BAM-20647	Issue Tracking Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:atlassian:troubleshooting_and_support:*:*:*:*:*:*:*:*

Configuration 2 (hide)

OR	cpe:2.3:a:atlassian:bamboo::::::::
	cpe:2.3:a:atlassian:bitbucket::::::::
	cpe:2.3:a:atlassian:confluence::::::::
	cpe:2.3:a:atlassian:crowd::::::::
	cpe:2.3:a:atlassian:crucible::::::::
	cpe:2.3:a:atlassian:fisheye::::::::
	cpe:2.3:a:atlassian:jira::::::::

History

No history.

Information

Published : 2019-11-08 04:15

Updated : 2024-02-28 17:28

NVD link : CVE-2019-15005

Mitre link : CVE-2019-15005

CVE.ORG link : CVE-2019-15005

JSON object : View

Products Affected

atlassian

crowd
crucible
bitbucket
troubleshooting_and_support
fisheye
bamboo
confluence
jira

CWE

CWE-862

Missing Authorization

{"id": "CVE-2019-15005", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "authentication": "SINGLE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 2.8}]}, "published": "2019-11-08T04:15:10.307", "references": [{"url": "https://herolab.usd.de/security-advisories/usd-2019-0016/", "source": "security@atlassian.com"}, {"url": "https://jira.atlassian.com/browse/BAM-20647", "tags": ["Issue Tracking", "Vendor Advisory"], "source": "security@atlassian.com"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-862"}]}], "descriptions": [{"lang": "en", "value": "The Atlassian Troubleshooting and Support Tools plugin prior to version 1.17.2 allows an unprivileged user to initiate periodic log scans and send the results to a user-specified email address due to a missing authorization check. The email message may contain configuration information about the application that the plugin is installed into. A vulnerable version of the plugin is included with Bitbucket Server / Data Center before 6.6.0, Confluence Server / Data Center before 7.0.1, Jira Server / Data Center before 8.3.2, Crowd / Crowd Data Center before 3.6.0, Fisheye before 4.7.2, Crucible before 4.7.2, and Bamboo before 6.10.2."}, {"lang": "es", "value": "El plugin Atlassian Troubleshooting and Support anterior a versi\u00f3n 1.17.2, permite a un usuario sin privilegios iniciar escaneos de registros peri\u00f3dicos y enviar los resultados a una direcci\u00f3n de correo electr\u00f3nico especificada por el usuario debido a una falta de comprobaci\u00f3n de autorizaci\u00f3n. El mensaje de correo electr\u00f3nico puede contener informaci\u00f3n de configuraci\u00f3n sobre la aplicaci\u00f3n en la que el plugin est\u00e1 instalado. Se incluye una versi\u00f3n vulnerable del plugin con Bitbucket Server/Data Center versiones anteriores a 6.6.0, Confluence Server / Data Center versiones anteriores a 7.0.1, Jira Server / Data Center versiones anteriores a 8.3.2, Crowd / Crowd Data Center versiones anteriores a 3.6.0, Fisheye versiones anteriores a 4.7.2, Crucible versiones anteriores a 4.7.2 y Bamboo versiones anteriores a 6.10.2."}], "lastModified": "2019-11-14T21:15:11.437", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:atlassian:troubleshooting_and_support:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "093A33BE-D93B-4CBC-9BF3-B37207CBAD84", "versionEndExcluding": "1.17.2"}], "operator": "OR"}]}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:atlassian:bamboo:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A17D5A1F-2408-4768-9DC3-F850B21B64AD", "versionEndExcluding": "6.10.2"}, {"criteria": "cpe:2.3:a:atlassian:bitbucket:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "BF79AB35-E420-4475-AD28-FC219C636C8B", "versionEndExcluding": "6.6.0"}, {"criteria": "cpe:2.3:a:atlassian:confluence:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "EC203A88-CA6B-4F1A-A68D-9C2CDE8F67FC", "versionEndExcluding": "7.0.1"}, {"criteria": "cpe:2.3:a:atlassian:crowd:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "1361951B-0754-45FF-96E4-8A886C24411B", "versionEndExcluding": "3.6.0"}, {"criteria": "cpe:2.3:a:atlassian:crucible:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "40EB5F54-C9BD-4299-A616-E3A8E20C77FB", "versionEndExcluding": "4.7.2"}, {"criteria": "cpe:2.3:a:atlassian:fisheye:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "452D57FA-0A0B-486F-9D4B-45487B68FFB9", "versionEndExcluding": "4.7.2"}, {"criteria": "cpe:2.3:a:atlassian:jira:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "76FE371E-3000-464E-ADEE-033BF2989429", "versionEndExcluding": "8.3.2"}], "operator": "OR"}]}], "sourceIdentifier": "security@atlassian.com"}