Atlassian released updates for Jira Service Desk and Jira Service Desk Data Center to fix a critical-severity security bug that can be exploited by anyone with access to a vulnerable customer portal.

The company patched another critical vulnerability affecting Jira Server and Jira Data Center that allows server-side template injection leading to remote code execution.

Access to internal Jira projects

The bug impacting Jira Service Desk and Jira Service Desk Data Center is a URL path traversal leading to information disclosure and is now tracked as CVE-2019-14994.

Jira Service Desk is a help desk request tracker that enables customers to view issues and make requests while being restricted access to Jira instances.

Security researcher Sam Curry discovered that the limitation can be bypassed by anyone with access to the portal, both customers and employees.

"Exploitation allows an attacker to view all issues within all Jira projects contained in the vulnerable instance. This could include Jira Service Desk projects, Jira Core projects, and Jira Software projects."

Using an advanced search, Satnam Narang of Tenable found that there are plenty of targets reachable over the public internet. His search returned over 25,000 results from organizations across the world in the healthcare, government, education and manufacturing industry.

CVE-2019-14994 is connected to a previous vulnerability disclosed by researcher Orange Tsai to Uber in 2018, which permitted access to the company's internal server by adding "..;" to the URL path parameter.

In an advisory this week, Atlassian informs that product versions before 3.9.16, from 3.10.0 before 3.16.8, from 4.0.0 before 4.1.3, from 4.2.0 before 4.2.5, from 4.3.0 before 4.3.4, and version 4.4.0 are affected by this vulnerability.

The following versions of Jira Service Desk Server and Jira Service Desk Data Center include the fix for CVE-2019-14994: 3.9.16, 3.16.8, 4.1.3, 4.2.5, 4.3.4, and 4.4.1.

As an interim solution until updating becomes possible, admins can block requests to JIRA containing '..' at the reverse proxy or load balance level, or configure JIRA to redirect requests containing '..' to a safe URL. The company recommends adding the rule below to the "URLwrite" section of "[jira-installation-directory]/atlassian-jira/WEB-INF/urlrewrite.xml":

Remote code execution in Jira Server

In another advisory, Atlassian discloses a template injection Importers Plugin, which affects version 7.0.10 of Jira Server and Jira Data Center. The flaw is now tracked as CVE-2019-15001.

The severity of this issue is also marked as critical, although it is exploitable if the attacker in the administrators' group, which can perform most administrative functions; they do not have system-wide permissions and may have restrictive access, depending on their application access.

"Successful exploitation of this issue allows an attacker to remotely execute code on systems that run a vulnerable version of Jira Server or Data Center."

Credited for finding and disclosing this vulnerability is Daniil Dimitriev. Affected versions of the product start from 7.0.10 and include the following:

from 7.0.10 before 7.6.16 (fixed in 7.6.16)

from 7.7.0 before 7.13.8 (fixed in 7.13.8)

from 8.0.0 before 8.1.3 (fixed in 8.1.3)

from 8.2.0 before 8.2.5 (fixed in 8.2.5)

from 8.3.0 before 8.3.4 (fixed in 8.3.4)

from 8.4.0 before 8.4.1 (fixed in 8.4.1)

Atlassian recommends updating to the patched versions but if this is not possible immediately there is a temporary workaround that consists in blocking the PUT request for the '/rest/jira-importers-plugin/1.0/demo/create' endpoint.