Atlassian has issued a security update for Jira Service Desk Server and Jira Service Desk Data Center. The update includes a fix for a critical URL path traversal vulnerability CVE-2019-14994 that could allow information disclosure.
The vulnerability does not affect Jira Service Desk Cloud. In addition, the issue does not impact Jira Core or Jira Software on instances where Jira Service Desk is not installed.
“A URL path traversal vulnerability in Jira Service Desk Server and Jira Service Desk Data Center allows a remote attacker with portal access to view all issues from all projects in the affected instance. This could include Jira Service Desk projects, Jira Core projects, and Jira Software projects,” Atlassian noted.
Atlassian recommends customers upgrade to Jira Service Desk Server and Jira Service Desk Data Center versions 3.9.16, 3.16.8, 4.1.3, 4.2.5, 4.3.4 or 4.4.1. These latest versions are not affected by the issue.
Also, see more details about the issue on the Atlassian security advisory 2019-09-18.