Jira Service Desk Instances Vulnerable to Path Traversal Flaw

Atlassian published a security advisory on September 18 to address a vulnerability in Jira Service Desk, IT ticketing application used by over 25,000 organizations to accept, manage and track requests from customers and employees through a web portal.

The vulnerability, identified as CVE-2019-14994, is a path traversal flaw in Jira Service Desk and Jira Service Desk Data Center. An attacker with access to the web portal can send a specially crafted request to the Jira Service Desk portal and bypass default restrictions on who can create or view issues with Jira Service Desk, granting them access to view protected information.

While no proof-of-concept (PoC) is available at this time, Sam Curry, the researcher who discovered the vulnerability, plans to release a PoC soon along with full details from his research.

For more information, including what versions of Jira Service Desk are affected and fixed, please visit our blog.