CVE-2019-8442

The CachingResourceDownloadRewriteRule class in Jira before version 7.13.4, and from version 8.0.0 before version 8.0.4, and from version 8.1.0 before version 8.1.1 allows remote attackers to access files in the Jira webroot under the META-INF directory via a lax path access check.

CVSS v3 7.5 HIGH
CVSS v2.0 5.0 MEDIUM

7.5^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

5.0^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:L/Au:N/C:P/I:N/A:N

Exploitability : 10.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
http://www.securityfocus.com/bid/108460	Broken Link
https://jira.atlassian.com/browse/JRASERVER-69241	Issue Tracking Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:atlassian:jira::::::::
	cpe:2.3:a:atlassian:jira_server::::::::
	cpe:2.3:a:atlassian:jira_server::::::::

History

No history.

Information

Published : 2019-05-22 18:29

Updated : 2022-04-22 20:10

NVD link : CVE-2019-8442

Mitre link : CVE-2019-8442

CVE.ORG link : CVE-2019-8442

JSON object : View

Products Affected

atlassian

jira
jira_server

CWE

NVD-CWE-noinfo

{"id": "CVE-2019-8442", "cveTags": [], "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 5.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2019-05-22T18:29:02.067", "references": [{"url": "http://www.securityfocus.com/bid/108460", "tags": ["Broken Link"], "source": "security@atlassian.com"}, {"url": "https://jira.atlassian.com/browse/JRASERVER-69241", "tags": ["Issue Tracking", "Vendor Advisory"], "source": "security@atlassian.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "descriptions": [{"lang": "en", "value": "The CachingResourceDownloadRewriteRule class in Jira before version 7.13.4, and from version 8.0.0 before version 8.0.4, and from version 8.1.0 before version 8.1.1 allows remote attackers to access files in the Jira webroot under the META-INF directory via a lax path access check."}, {"lang": "es", "value": "CachingResourceDownloadRewriteRule class in Jira antes versi\u00f3n 7.13.4, y desde la versi\u00f3n 8.0.0 antes de la versi\u00f3n 8.0.4, y desde la versi\u00f3n 8.1.0 antes versi\u00f3n 8.1.1, permite a los atacantes remotos acceder a los archivos en el webroot de Jira bajo el directorio META-INF mediante una comprobaci\u00f3n lax path."}], "lastModified": "2022-04-22T20:10:53.783", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:atlassian:jira:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E5F53E99-E523-46BC-BB9C-2C1088D30E69", "versionEndExcluding": "7.13.4"}, {"criteria": "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D2468233-97B0-4673-A2EA-5787CFD56097", "versionEndExcluding": "8.0.4", "versionStartIncluding": "8.0.0"}, {"criteria": "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "2806E160-A601-4276-A3F2-8F73DA3AE3E0", "versionEndExcluding": "8.1.1", "versionStartIncluding": "8.1.0"}], "operator": "OR"}]}], "sourceIdentifier": "security@atlassian.com"}