CVE-2019-20099

MEDIUM

Atlassian Jira Server and Data Center 7.6.15-8.5.3 - Cross-Site Request Forgery in VerifyPopServerConnection

Title source: llm
STIX 2.1

Description

The VerifyPopServerConnection!add.jspa component in Atlassian Jira Server and Data Center before version 8.7.0 is vulnerable to cross-site request forgery (CSRF). An attacker could exploit this by tricking an administrative user into making malicious HTTP requests, allowing the attacker to enumerate hosts and open ports on the internal network where Jira server is present.

References (2)

Core 2
Core References
Exploit, Third Party Advisory x_refsource_misc
https://www.tenable.com/security/research/tra-2020-05
Issue Tracking, Vendor Advisory x_refsource_misc
https://jira.atlassian.com/browse/JRASERVER-70606

Scores

CVSS v3 4.3
EPSS 0.0024
EPSS Percentile 46.8%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

Details

CWE
CWE-352
Status published
Products (2)
atlassian/jira_data_center 7.6.15 - 8.5.4
atlassian/jira_server 7.6.15 - 8.5.4
Published Feb 12, 2020
Tracked Since Feb 18, 2026