CVE-2019-15005

moderate-risk

Published 2019-11-08

The Atlassian Troubleshooting and Support Tools plugin prior to version 1.17.2 allows an unprivileged user to initiate periodic log scans and send the results to a user-specified email address due to a missing authorization check. The email message may contain configuration information about the application that the plugin is installed into. A vulnerable version of the plugin is included with Bitbucket Server / Data Center before 6.6.0, Confluence Server / Data Center before 7.0.1, Jira Server / Data Center before 8.3.2, Crowd / Crowd Data Center before 3.6.0, Fisheye before 4.7.2, Crucible before 4.7.2, and Bamboo before 6.10.2.

Do I need to act?

0.21% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 4.3/10 Medium

NETWORK / LOW complexity

Affected Products (8)

Troubleshooting And Support

Bamboo

Bitbucket

Confluence

Crowd

Crucible

Fisheye

Jira

Affected Vendors

Atlassian

References (4)

https://herolab.usd.de/security-advisories/usd-2019-0016/

Issue Tracking https://jira.atlassian.com/browse/BAM-20647

https://herolab.usd.de/security-advisories/usd-2019-0016/

Issue Tracking https://jira.atlassian.com/browse/BAM-20647

/ 100

moderate-risk

Severity 18/34 · Moderate

Exploitability 1/34 · Minimal

Exposure 14/34 · Moderate