Is this security issue affect if public sign up is disabled in the JIRA service desk?

Noel John September 19, 2019

If the setting Anyone can email the service desk or raise a request in the portal setting is disabled as the system level configuration is set as "Can project administrators enable public signup for their service desks?" NO . then is this security risk affect the server?

 

If the server is not accessible from outside network then is this affects?

https://confluence.atlassian.com/jira/jira-service-desk-security-advisory-2019-09-18-976171274.html

1 answer

1 accepted

0 votes
Answer accepted
Andy Heinzer
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
September 20, 2019

Hi Noel,

I understand you have some questions about the most recent Jira Service Desk Server security vulnerability. 

If the "Anyone can email the service desk or raise a request in the portal" setting is disabled, it does not really protect you from this vulnerability.  However with this disabled, it might prevent your Service Desk from creating new accounts for unknown users.   This vulnerability can only be exploited by users that have an account in Jira Service Desk (customer, Agent, Jira user, etc).  With this setting enabled, it could allow a user to create a new account on the site for Service Desk. But even with it disabled, it doesn't do anything to prevent someone that already has an account in your Jira site from being able to exploit this vulnerability.

If the server is not accessible from outside network then is this affects?

Technically your server would be less likely to be affected, but you are not protected entirely.  If your Jira site is not accessible publicly on the internet, then you are less likely to be exploited by this vulnerability.  That said, even if your Jira site was only accessible on a private network, this vulnerability would potentially permit any user that could login to the Service Desk customer portal to use a URL path traversal vulnerability to see all Jira issues, even those they don't have permissions to view.

Please let me know if you have any additional questions or concerns about this.

Cheers,

Andy

Noel John September 23, 2019

Thanks Andy for the brief explanation on this

Suggest an answer

Log in or Sign up to answer