If the setting Anyone can email the service desk or raise a request in the portal setting is disabled as the system level configuration is set as "Can project administrators enable public signup for their service desks?" NO . then is this security risk affect the server?
If the server is not accessible from outside network then is this affects?
https://confluence.atlassian.com/jira/jira-service-desk-security-advisory-2019-09-18-976171274.html
Hi Noel,
I understand you have some questions about the most recent Jira Service Desk Server security vulnerability.
If the "Anyone can email the service desk or raise a request in the portal" setting is disabled, it does not really protect you from this vulnerability. However with this disabled, it might prevent your Service Desk from creating new accounts for unknown users. This vulnerability can only be exploited by users that have an account in Jira Service Desk (customer, Agent, Jira user, etc). With this setting enabled, it could allow a user to create a new account on the site for Service Desk. But even with it disabled, it doesn't do anything to prevent someone that already has an account in your Jira site from being able to exploit this vulnerability.
If the server is not accessible from outside network then is this affects?
Technically your server would be less likely to be affected, but you are not protected entirely. If your Jira site is not accessible publicly on the internet, then you are less likely to be exploited by this vulnerability. That said, even if your Jira site was only accessible on a private network, this vulnerability would potentially permit any user that could login to the Service Desk customer portal to use a URL path traversal vulnerability to see all Jira issues, even those they don't have permissions to view.
Please let me know if you have any additional questions or concerns about this.
Cheers,
Andy
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.