CVE-2019-14998Cross-Site Request Forgery in Atlassian Jira

CWE-352Cross-Site Request Forgery3 documents3 sources
Severity
6.5MEDIUMNVD
EPSS
0.2%
top 58.17%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Atlassian JiraAtlassian Jira Server
Timeline
PublishedSep 11
Latest updateMay 24

Description

The Webwork action Cross-Site Request Forgery (CSRF) protection implementation in Jira before version 8.4.0 allows remote attackers to bypass its protection via "cookie tossing" a CSRF cookie from a subdomain of a Jira instance.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages2 packages

CVEListV5atlassian/jiraunspecified8.4.0
NVDatlassian/jira_server7.4.08.4.0

🔴Vulnerability Details

2
GHSA
GHSA-pxw3-82pf-w6pr: The Webwork action Cross-Site Request Forgery (CSRF) protection implementation in Jira before version 82022-05-24
CVEList
CVE-2019-14998: The Webwork action Cross-Site Request Forgery (CSRF) protection implementation in Jira before version 82019-09-11
CVE-2019-14998 — Cross-Site Request Forgery | cvebase