CVE-2019-20099

low-risk

Published 2020-02-12

The VerifyPopServerConnection!add.jspa component in Atlassian Jira Server and Data Center before version 8.7.0 is vulnerable to cross-site request forgery (CSRF). An attacker could exploit this by tricking an administrative user into making malicious HTTP requests, allowing the attacker to enumerate hosts and open ports on the internal network where Jira server is present.

Do I need to act?

0.24% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 4.3/10 Medium

NETWORK / LOW complexity

Affected Products (2)

Jira Data Center

Jira Server

Affected Vendors

Atlassian

References (4)

Issue Tracking https://jira.atlassian.com/browse/JRASERVER-70606

Exploit https://www.tenable.com/security/research/tra-2020-05

Issue Tracking https://jira.atlassian.com/browse/JRASERVER-70606

Exploit https://www.tenable.com/security/research/tra-2020-05

/ 100

low-risk

Severity 18/34 · Moderate

Exploitability 1/34 · Minimal

Exposure 7/34 · Low