CVE-2019-15011

The ListEntityLinksServlet resource in Application Links before version 5.0.12, from version 5.1.0 before version 5.2.11, from version 5.3.0 before version 5.3.7, from version 5.4.0 before 5.4.13, and from version 6.0.0 before 6.0.5 disclosed application link information to non-admin users via a missing permissions check.

CVSS v3 4.3 MEDIUM
CVSS v2.0 4.0 MEDIUM

4.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

4.0^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:L/Au:S/C:P/I:N/A:N

Exploitability : 8.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication SINGLE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
https://ecosystem.atlassian.net/browse/APL-1386	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:atlassian:application_links::::::::
	cpe:2.3:a:atlassian:application_links::::::::
	cpe:2.3:a:atlassian:application_links::::::::
	cpe:2.3:a:atlassian:application_links::::::::
	cpe:2.3:a:atlassian:application_links::::::::

History

No history.

Information

Published : 2019-12-17 04:15

Updated : 2019-12-30 17:45

NVD link : CVE-2019-15011

Mitre link : CVE-2019-15011

CVE.ORG link : CVE-2019-15011

JSON object : View

Products Affected

atlassian

application_links

CWE

CWE-276

Incorrect Default Permissions

{"id": "CVE-2019-15011", "cveTags": [], "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "authentication": "SINGLE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 2.8}]}, "published": "2019-12-17T04:15:11.257", "references": [{"url": "https://ecosystem.atlassian.net/browse/APL-1386", "tags": ["Vendor Advisory"], "source": "security@atlassian.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-276"}]}], "descriptions": [{"lang": "en", "value": "The ListEntityLinksServlet resource in Application Links before version 5.0.12, from version 5.1.0 before version 5.2.11, from version 5.3.0 before version 5.3.7, from version 5.4.0 before 5.4.13, and from version 6.0.0 before 6.0.5 disclosed application link information to non-admin users via a missing permissions check."}, {"lang": "es", "value": "El recurso ListEntityLinksServlet en Application Links en versiones anteriores a la 5.0.12, de la versi\u00f3n 5.1.0 en versiones anteriores a la 5.2.11, de la versi\u00f3n 5.3.0 en versiones anteriores a la 5.3.7, de la versi\u00f3n 5.4.0 en versiones anteriores a la 5.4.13 y de la versi\u00f3n 6.0.0 en versiones anteriores a la 6.0.5 divulg\u00f3 la informaci\u00f3n del enlace de la aplicaci\u00f3n a usuarios no administradores a mediante una verificaci\u00f3n de permisos faltantes."}], "lastModified": "2019-12-30T17:45:53.390", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:atlassian:application_links:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "525BCC1A-F1BD-4DA4-9D71-F796699C5C70", "versionEndExcluding": "5.0.12"}, {"criteria": "cpe:2.3:a:atlassian:application_links:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "FDC745BF-811E-4176-99BD-DC215A540D8A", "versionEndExcluding": "5.2.11", "versionStartIncluding": "5.1.0"}, {"criteria": "cpe:2.3:a:atlassian:application_links:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "DB16B01F-FE38-4F7F-A438-522E734E1798", "versionEndExcluding": "5.3.7", "versionStartIncluding": "5.3.0"}, {"criteria": "cpe:2.3:a:atlassian:application_links:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "BB7BA4C7-CDF5-4EC3-BA7A-4DDDB220DD72", "versionEndExcluding": "5.4.13", "versionStartIncluding": "5.4.0"}, {"criteria": "cpe:2.3:a:atlassian:application_links:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "CFFFAEBE-9D34-4B1F-94AC-FBD319DE245A", "versionEndExcluding": "6.0.5", "versionStartIncluding": "6.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "security@atlassian.com"}