CVE-2019-20099

The VerifyPopServerConnection!add.jspa component in Atlassian Jira Server and Data Center before version 8.7.0 is vulnerable to cross-site request forgery (CSRF). An attacker could exploit this by tricking an administrative user into making malicious HTTP requests, allowing the attacker to enumerate hosts and open ports on the internal network where Jira server is present.
CSRF
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
atlassianCNA
4.3 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 46%
Affected Products (NVD)
VendorProductVersion
atlassianjira_data_center
7.6.15 ≤
𝑥
< 8.5.4
atlassianjira_data_center
8.5.5 ≤
𝑥
< 8.6.2
atlassianjira_server
7.6.15 ≤
𝑥
< 8.5.4
atlassianjira_server
8.5.5 ≤
𝑥
< 8.6.2
𝑥
= Vulnerable software versions
Early Detection
Affected products identified ahead of NVD analysis through intelligence sources.
VendorProductVersionSource
atlassianjira
𝑥
< 8.7.0
CNA
Common Weakness Enumeration
References
https://jira.atlassian.com/browse/JRASERVER-70606
https://www.tenable.com/security/research/tra-2020-05
https://jira.atlassian.com/browse/JRASERVER-70606
https://www.tenable.com/security/research/tra-2020-05