Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2019-20105

The EditApplinkServlet resource in the Atlassian Application Links plugin before version 5.4.20, from version 6.0.0 before version 6.0.12, from version 6.1.0 before version 6.1.2, from version 7.0.0 before version 7.0.1, and from version 7.1.0 before version 7.1.3 allows remote attackers who have obtained access to administrator's session to access the EditApplinkServlet resource without needing to re-authenticate to pass "WebSudo" in products that support "WebSudo" through an improper access control vulnerability.

Published

2020-03-17T03:15:10.980

Last Modified

2024-11-21T04:38:04.397

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 4.9 (MEDIUM)

CVSSv2 Vector

AV:N/AC:L/Au:S/C:N/I:P/A:N

Access Vector: NETWORK
Access Complexity: LOW
Authentication: SINGLE
Confidentiality Impact: NONE
Integrity Impact: PARTIAL
Availability Impact: NONE

Exploitability Score

8.0

Impact Score

2.9

Weaknesses

Type: Primary
CWE-306

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	atlassian	application_links	≤ 5.4.20	Yes
Application	atlassian	application_links	≤ 6.0.12	Yes
Application	atlassian	application_links	< 6.1.2	Yes
Application	atlassian	application_links	< 7.1.3	Yes
Application	atlassian	application_links	7.0.0	Yes

References

https://ecosystem.atlassian.net/browse/APL-1391 Vendor Advisory ([email protected])
https://jira.atlassian.com/browse/JRASERVER-70526 Vendor Advisory ([email protected])
https://ecosystem.atlassian.net/browse/APL-1391 Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://jira.atlassian.com/browse/JRASERVER-70526 Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)