It's not the same without you

Join the community to find out what other Atlassian users are discussing, debating and creating.

Atlassian Community Hero Image Collage

Is this security issue affect if public sign up is disabled in the JIRA service desk? Edited

If the setting Anyone can email the service desk or raise a request in the portal setting is disabled as the system level configuration is set as "Can project administrators enable public signup for their service desks?" NO . then is this security risk affect the server?

 

If the server is not accessible from outside network then is this affects?

https://confluence.atlassian.com/jira/jira-service-desk-security-advisory-2019-09-18-976171274.html

1 answer

1 accepted

0 votes
Answer accepted
Andy Heinzer Atlassian Team Sep 20, 2019

Hi Noel,

I understand you have some questions about the most recent Jira Service Desk Server security vulnerability. 

If the "Anyone can email the service desk or raise a request in the portal" setting is disabled, it does not really protect you from this vulnerability.  However with this disabled, it might prevent your Service Desk from creating new accounts for unknown users.   This vulnerability can only be exploited by users that have an account in Jira Service Desk (customer, Agent, Jira user, etc).  With this setting enabled, it could allow a user to create a new account on the site for Service Desk. But even with it disabled, it doesn't do anything to prevent someone that already has an account in your Jira site from being able to exploit this vulnerability.

If the server is not accessible from outside network then is this affects?

Technically your server would be less likely to be affected, but you are not protected entirely.  If your Jira site is not accessible publicly on the internet, then you are less likely to be exploited by this vulnerability.  That said, even if your Jira site was only accessible on a private network, this vulnerability would potentially permit any user that could login to the Service Desk customer portal to use a URL path traversal vulnerability to see all Jira issues, even those they don't have permissions to view.

Please let me know if you have any additional questions or concerns about this.

Cheers,

Andy

Thanks Andy for the brief explanation on this

Suggest an answer

Log in or Sign up to answer
Community showcase
Posted in Jira

Demo Den Ep. 7: New Jira Cloud Reports

Learn how to use two new reports for next-gen projects in Jira Cloud:  Cumulative flow diagram and Sprint burndown chart. Ivan Teong, Product Manager, Jira Software, demos the Cumulative ...

229 views 1 2
Join discussion

Community Events

Connect with like-minded Atlassian users at free events near you!

Find an event

Connect with like-minded Atlassian users at free events near you!

Unfortunately there are no Community Events near you at the moment.

Host an event

You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events

Events near you