CVE-2019-20105

CWE-306Missing Authentication3 documents3 sources
Severity
4.9MEDIUM
EPSS
0.2%
top 58.14%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Atlassian Application LinksAtlassian Jira Server AND Data Center
Timeline
PublishedMar 17
Latest updateMay 24

Description

The EditApplinkServlet resource in the Atlassian Application Links plugin before version 5.4.20, from version 6.0.0 before version 6.0.12, from version 6.1.0 before version 6.1.2, from version 7.0.0 before version 7.0.1, and from version 7.1.0 before version 7.1.3 allows remote attackers who have obtained access to administrator's session to access the EditApplinkServlet resource without needing to re-authenticate to pass "WebSudo" in products that support "WebSudo" through an improper access co

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:NExploitability: 1.2 | Impact: 3.6

Affected Packages3 packages

CVEListV5atlassian/application_linksunspecified5.4.20+6
NVDatlassian/application_links6.1.06.1.2+4
CVEListV5atlassian/jira_server_and_data_center7.13.8unspecified+5

🔴Vulnerability Details

2
GHSA
GHSA-hhrj-8h23-4fr8: The EditApplinkServlet resource in the Atlassian Application Links plugin before version 52022-05-24
CVEList
CVE-2019-20105: The EditApplinkServlet resource in the Atlassian Application Links plugin before version 52020-03-17
CVE-2019-20105 (MEDIUM CVSS 4.9) | The EditApplinkServlet resource in | cvebase.io