CVE-2019-20105

Summary

The EditApplinkServlet resource in the Atlassian Application Links plugin before version 5.4.20, from version 6.0.0 before version 6.0.12, from version 6.1.0 before version 6.1.2, from version 7.0.0 before version 7.0.1, and from version 7.1.0 before version 7.1.3 allows remote attackers who have obtained access to administrator's session to access the EditApplinkServlet resource without needing to re-authenticate to pass "WebSudo" in products that support "WebSudo" through an improper access control vulnerability.

Affected Software

VendorProductVersion RangeStatus
AtlassianApplication Linksunspecified < 5.4.20affected
AtlassianApplication Links6.0.0 < unspecifiedaffected
AtlassianApplication Linksunspecified < 6.0.12affected
AtlassianApplication Links7.0.0 < unspecifiedaffected
AtlassianApplication Linksunspecified < 7.0.1affected
AtlassianApplication Links7.1.0 < unspecifiedaffected
AtlassianApplication Linksunspecified < 7.1.3affected
AtlassianJira Server and Data Center7.13.8 < unspecifiedaffected
AtlassianJira Server and Data Centerunspecified < 7.13.12affected
AtlassianJira Server and Data Center8.4.2 < unspecifiedaffected
AtlassianJira Server and Data Centerunspecified < 8.5.4affected
AtlassianJira Server and Data Center8.6.0 < unspecifiedaffected
AtlassianJira Server and Data Centerunspecified < 8.6.1affected

Weaknesses

  • Improper Authorization

ADP Enrichment

CVE Program Container

Additional References

References