CVE-2019-14999

The Uninstall REST endpoint in Atlassian Universal Plugin Manager before version 2.22.19, from version 3.0.0 before version 3.0.3 and from version 4.0.0 before version 4.0.3 allows remote attackers to uninstall plugins using a Cross-Site Request Forgery (CSRF) vulnerability on an authenticated administrator.
CSRF
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
4.3 MEDIUM
NETWORK
LOW
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
atlassianCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 30%
VendorProductVersion
atlassianuniversal_plugin_manager
𝑥
< 2.22.19
atlassianuniversal_plugin_manager
3.0.0 ≤
𝑥
< 3.0.3
atlassianuniversal_plugin_manager
4.0.0 ≤
𝑥
< 4.0.3
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://ecosystem.atlassian.net/browse/UPM-6044
https://ecosystem.atlassian.net/browse/UPM-6044