Talos Vulnerability Report

TALOS-2019-0838

Atlassian Jira Tempo plugin issue summary information disclosure vulnerability

September 16, 2019

CVE Number

CVE-2019-5095

Summary

An issue summary information disclosure vulnerability exists in Atlassian Jira Tempo plugin, version 4.10.0. Authenticated users can obtain the summary for issues they do not have permission to view via the Tempo plugin.

Tested Versions

Atlassian Jira 7.6.4 Atlassian Jira Tempo Core system plugin 4.10.0

Product URLs

https://www.atlassian.com/software/jira

CVSSv3 Score

4.3 - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CWE

CWE-862 - Missing Authorization

Details

An attacker can use this vector to view the summary of arbitrary issues. In order for the exploit to run successfully, the user must have a valid session. This does not display any actual time information collected by the tempo plugin.

Exploit Proof-of-Concept

With an authenticated session, submit a GET to /secure/TempoIssueBoard!timesheet.jspa?issue=<ISSUE-KEY>, replacing <ISSUE-KEY> with a valid issue key.

Timeline

2019-05-14 - Vendor Disclosure
2019-06-11 - Issued to 3rd party vendor (Tempo)
2019-06-21 - Vendor (Tempo) fixed
2019-09-16 - Public Release

Credit

Discovered by Ben Taylor of Cisco ASIG.

TALOS-2019-0834

TALOS-2019-0837

Intelligence Center

Vulnerability Research

Security Resources

Media

Company