CVE-2019-8442 - OpenCVE

The CachingResourceDownloadRewriteRule class in Jira before version 7.13.4, and from version 8.0.0 before version 8.0.4, and from version 8.1.0 before version 8.1.1 allows remote attackers to access files in the Jira webroot under the META-INF directory via a lax path access check.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:L/Au:N/C:P/I:N/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Atlassian	Jira Jira Server

Configuration 1 [-]

OR	cpe:2.3:a:atlassian:jira::::::::
	cpe:2.3:a:atlassian:jira_server::::::::
	cpe:2.3:a:atlassian:jira_server::::::::

No data.

References

Link	Providers
http://www.securityfocus.com/bid/108460
https://jira.atlassian.com/browse/JRASERVER-69241

History

No history.

MITRE

Status: PUBLISHED

Assigner: atlassian

Published: 2019-05-22T17:39:14.653681Z

Updated: 2024-09-16T17:58:53.478Z

Reserved: 2019-02-18T00:00:00

Link: CVE-2019-8442

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2019-05-22T18:29:02.067

Modified: 2022-04-22T20:10:53.783

Link: CVE-2019-8442

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "Jira", "vendor": "Atlassian", "versions": [{"lessThan": "7.13.4", "status": "affected", "version": "unspecified", "versionType": "custom"}, {"lessThan": "unspecified", "status": "affected", "version": "8.0.0", "versionType": "custom"}, {"lessThan": "8.0.4", "status": "affected", "version": "unspecified", "versionType": "custom"}, {"lessThan": "unspecified", "status": "affected", "version": "8.1.0", "versionType": "custom"}, {"lessThan": "8.1.1", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "datePublic": "2019-05-08T00:00:00", "descriptions": [{"lang": "en", "value": "The CachingResourceDownloadRewriteRule class in Jira before version 7.13.4, and from version 8.0.0 before version 8.0.4, and from version 8.1.0 before version 8.1.1 allows remote attackers to access files in the Jira webroot under the META-INF directory via a lax path access check."}], "problemTypes": [{"descriptions": [{"description": "Information Exposure", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2019-05-27T07:06:02", "orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66", "shortName": "atlassian"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://jira.atlassian.com/browse/JRASERVER-69241"}, {"name": "108460", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/108460"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@atlassian.com", "DATE_PUBLIC": "2019-05-08T00:00:00", "ID": "CVE-2019-8442", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Jira", "version": {"version_data": [{"version_affected": "<", "version_value": "7.13.4"}, {"version_affected": ">=", "version_value": "8.0.0"}, {"version_affected": "<", "version_value": "8.0.4"}, {"version_affected": ">=", "version_value": "8.1.0"}, {"version_affected": "<", "version_value": "8.1.1"}]}}]}, "vendor_name": "Atlassian"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The CachingResourceDownloadRewriteRule class in Jira before version 7.13.4, and from version 8.0.0 before version 8.0.4, and from version 8.1.0 before version 8.1.1 allows remote attackers to access files in the Jira webroot under the META-INF directory via a lax path access check."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Information Exposure"}]}]}, "references": {"reference_data": [{"name": "https://jira.atlassian.com/browse/JRASERVER-69241", "refsource": "MISC", "url": "https://jira.atlassian.com/browse/JRASERVER-69241"}, {"name": "108460", "refsource": "BID", "url": "http://www.securityfocus.com/bid/108460"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T21:17:31.463Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://jira.atlassian.com/browse/JRASERVER-69241"}, {"name": "108460", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/108460"}]}]}, "cveMetadata": {"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66", "assignerShortName": "atlassian", "cveId": "CVE-2019-8442", "datePublished": "2019-05-22T17:39:14.653681Z", "dateReserved": "2019-02-18T00:00:00", "dateUpdated": "2024-09-16T17:58:53.478Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:atlassian:jira:*:*:*:*:*:*:*:*", "matchCriteriaId": "E5F53E99-E523-46BC-BB9C-2C1088D30E69", "versionEndExcluding": "7.13.4", "vulnerable": true}, {"criteria": "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "D2468233-97B0-4673-A2EA-5787CFD56097", "versionEndExcluding": "8.0.4", "versionStartIncluding": "8.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "2806E160-A601-4276-A3F2-8F73DA3AE3E0", "versionEndExcluding": "8.1.1", "versionStartIncluding": "8.1.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The CachingResourceDownloadRewriteRule class in Jira before version 7.13.4, and from version 8.0.0 before version 8.0.4, and from version 8.1.0 before version 8.1.1 allows remote attackers to access files in the Jira webroot under the META-INF directory via a lax path access check."}, {"lang": "es", "value": "CachingResourceDownloadRewriteRule class in Jira antes versi\u00f3n 7.13.4, y desde la versi\u00f3n 8.0.0 antes de la versi\u00f3n 8.0.4, y desde la versi\u00f3n 8.1.0 antes versi\u00f3n 8.1.1, permite a los atacantes remotos acceder a los archivos en el webroot de Jira bajo el directorio META-INF mediante una comprobaci\u00f3n lax path."}], "id": "CVE-2019-8442", "lastModified": "2022-04-22T20:10:53.783", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-05-22T18:29:02.067", "references": [{"source": "security@atlassian.com", "tags": ["Broken Link"], "url": "http://www.securityfocus.com/bid/108460"}, {"source": "security@atlassian.com", "tags": ["Issue Tracking", "Vendor Advisory"], "url": "https://jira.atlassian.com/browse/JRASERVER-69241"}], "sourceIdentifier": "security@atlassian.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}