A vulnerability was found in Troubleshooting and Support Tools Plugin up to 1.17.1 on Atlassian Bitbucket Server. It has been declared as problematic. This vulnerability affects an unknown code of the component Log Scan Handler. The manipulation with an unknown input leads to a authorization vulnerability. The CWE definition for the vulnerability is CWE-862. The product does not perform an authorization check when an actor attempts to access a resource or perform an action. As an impact it is known to affect confidentiality. CVE summarizes:

The Atlassian Troubleshooting and Support Tools plugin prior to version 1.17.2 allows an unprivileged user to initiate periodic log scans and send the results to a user-specified email address due to a missing authorization check. The email message may contain configuration information about the application that the plugin is installed into. A vulnerable version of the plugin is included with Bitbucket Server / Data Center before 6.6.0, Confluence Server / Data Center before 7.0.1, Jira Server / Data Center before 8.3.2, Crowd / Crowd Data Center before 3.6.0, Fisheye before 4.7.2, Crucible before 4.7.2, and Bamboo before 6.10.2.

The weakness was published 11/08/2019. This vulnerability was named CVE-2019-15005 since 08/13/2019. The exploitation appears to be easy. The attack can be initiated remotely. A single authentication is needed for exploitation. There are neither technical details nor an exploit publicly available.

Upgrading to version 1.17.2 eliminates this vulnerability.

Productinfo

Name

• Support Tools Plugin
• Troubleshooting

Version

• 1.17.0
• 1.17.1

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion