Talos Vulnerability Report

TALOS-2019-0840

Atlassian Jira Worklog Information Disclosure Vulnerability

September 16, 2019
CVE Number

CVE-2019-8445

Summary

A worklog information disclosure vulnerability exists in Atlassian Jira 7.6.4, from version 7.6.4 to 8.1.0. Authenticated users can view worklog details for issues they do not have permission to view via the /rest/api/2/worklog/list API endpoint. They can also obtain a list of worklog ID's via /rest/api/2/worklog/updated.

Tested Versions

Atlassian Jira 7.6.4 Atlassian Jira 8.1.0

Product URLs

https://www.atlassian.com/software/jira

CVSSv3 Score

4.3 - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CWE

CWE-862 - Missing Authorization

Details

An attacker can use this vector to view details for arbitrary worklog entries. In order for the exploit to run successfully, the user must have a valid session.

Exploit Proof-of-Concept

Submit a POST to /rest/api/2/worklog/list with the following body:

{"ids": [12301]}

Timeline

2019-05-14 - Vendor Disclosure
2019-08-14 - Vendor Patched
2019-09-16 - Public Release

Credit

Discovered by Ben Taylor of Cisco ASIG.