The EditApplinkServlet resource in the Atlassian Application Links plugin before version 5.4.20, from version 6.0.0 before version 6.0.12, from version 6.1.0 before version 6.1.2, from version 7.0.0 before version 7.0.1, and from version 7.1.0 before version 7.1.3 allows remote attackers who have obtained access to administrator's session to access the EditApplinkServlet resource without needing to re-authenticate to pass "WebSudo" in products that support "WebSudo" through an improper access control vulnerability.
References
Link | Resource |
---|---|
https://ecosystem.atlassian.net/browse/APL-1391 | Vendor Advisory |
https://jira.atlassian.com/browse/JRASERVER-70526 | Vendor Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: atlassian
Published: 2020-03-17T00:00:00
Updated: 2020-03-17T02:40:13
Reserved: 2019-12-30T00:00:00
Link: CVE-2019-20105
JSON object: View
NVD Information
Status : Analyzed
Published: 2020-03-17T03:15:10.980
Modified: 2020-08-24T17:37:01.140
Link: CVE-2019-20105
JSON object: View
Redhat Information
No data.
CWE