SynopsisThe remote web server hosts a web application that is potentially affected by an information disclosure vulnerability.
DescriptionAccording to its self-reported version number, the instance of Atlassian JIRA hosted on the remote web server is 8.4.x prior to 8.4.2. It is, therefore, affected by multiple vulnerabilities:
- An information disclosure vulnerability in the listEntityLinks servlet resource of the Application links plugin discloses application link information to non-admin users via a missing permissions check. (CVE-2019-15011)
- The WorkflowResource class removeStatus method in Jira before version 7.13.12, from version 8.0.0 before version 8.4.3, and from version 8.5.0 before version 8.5.2 allows authenticated remote attackers who do not have project administration access to remove a configured issue status from a project via a missing authorization check. (CVE-2019-15013)
SolutionUpgrade to Atlassian JIRA version 8.4.2 / 8.5.0