By 
Atlassian issued security changes to highlight major flaws in Jira Service Desk and Jira Service Desk Data Center. One of the vulnerabilities can result in information revelation, while another serious susceptibility addressed by Atlassian could let server-side template injection resulting in remote code implementation.
The first susceptibility impacting Service Desk and Service Desk Data Center is a URL path traversal.
Tracked as CVE-2019-14994, the vulnerability could resulting in information revelation, could be misused by anyone with access to the gateway, including customers. Security researcher Sam Curry revealed the vulnerability.
“Affected JIRA Service Desk versions in CVE-2019-14994 will allow non-application access users – Service Desk Customers to path traverse to see restricted issues in the JIRA instance.” reads the security advisory published by Atlassian.
“This allows Service Desk Customers who normally don’t have access to tickets that are not their own to view details of tickets contained in the XML generated results in all JIRA Service Desk projects.”
An attacker could abuse the vulnerability to view all problems within all Jira projects contained in the susceptible fixing. The security researchers Satnam Narang of Tenable described that millions of installs are uncovered online, the IT ticketing application is extensively accepted in several fields including the healthcare, government, education and industry.
“According to the advisory, an attacker with access to the web portal can send a specially crafted request to the Jira Service Desk portal to bypass these restrictions and view protected information. In order to exploit the vulnerability, the Customer Permissions settings for who can raise a request must be set to “Anyone can email the service desk or raise a request in the portal,” which may be a common configuration because the other two options limit who can open requests.” reported Tenable. “In addition to viewing protected information within Jira Service Desk, an attacker could also view protected information from Jira Software and Jira Core if the “Browse Project” permission is set to Group – Anyone.”
