Workaround for CVE-2019-15003


アトラシアン コミュニティをご利用ください。


プラットフォームについて: Server と Data Center のみ - この記事は、サーバーおよびデータセンター プラットフォームのアトラシアン製品にのみ適用されます。


Affected Jira Service Desk versions in CVE-2019-15003 will allow non-application access users - Service Desk Customers to see restricted information in the Jira instance.

This allows Service Desk Customers who normally don't have access to Jira information, this authorization bypass allows remote attackers with portal access to gain direct access to Jira with the same permissions.

This affects Jira Service Desk portals that have the "Anyone can email the service desk or raise a request in the portal" setting enabled, exploitation allows an attacker to view all issues within all Jira projects contained in the vulnerable instance.


  • All versions before 3.9.17
  • 3.10.x
  • 3.11.x
  • 3.12.x
  • 3.13.x
  • 3.14.x
  • 3.15.x
  • 3.16.x before 3.16.11 (the fixed version for 3.16.x)
  • 4.0.x
  • 4.1.x
  • 4.2.x before 4.2.6 (the fixed version for 4.2.x)
  • 4.3.x before 4.3.5 (the fixed version for 4.3.x)
  • 4.4.x before 4.4.3 (the fixed version for 4.4.x)
  • 4.5.x before 4.5.1 (the fixed version for 4.5.x)

Permanent resolution below along with workarounds if immediate upgrade is not possible


Upgrade to fixed version of Jira Service Desk

  • 3.9.17

  • 3.16.11

  • 4.2.6

  • 4.3.5

  • 4.4.3

  • 4.5.1


Block authorization bypass.

Workaround 1.

Redirect requests to Jira containing jspa, jspx, jsp to a safe URL

  1. Add the following to the <urlrewrite> section of [jira-installation-directory]/atlassian-jira/WEB-INF/urlrewrite.xml:

        <to type="temporary-redirect">/</to>
  2. Save the urlrewrite.xml
  3. Jira を再起動します。

Workaround 2.

Block requests to Jira for authorization bypass at the reverse proxy or load-balancer level


  1. Add the following into the .conf file that contains the virtualhost that proxies to Jira

    <LocationMatch "/servicedesk/.*\.jsp.*">
       Order Allow,Deny
        Deny from  all

    example below -

    <VirtualHost *:80>
        ProxyRequests Off
        ProxyVia Off
        <Proxy *>
             Require all granted
        ProxyPass /jira  http://ipaddress:8080/jira
        ProxyPassReverse /jira  http://ipaddress:8080/jira
        <LocationMatch "/servicedesk/.*\.jsp.*">
         Order Allow,Deny
         Deny from  all
  2. Restart your Apache proxy


  1. Add the following into the .conf file that contains the server block that proxies to Jira inside location block

    if ($uri ~* "/servicedesk/.*\.jsp.*"){ return 403;}

    example below -

        location /jira {
            proxy_set_header X-Forwarded-Host $host;
            proxy_set_header X-Forwarded-Server $host;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_pass http://ipaddress:8080/jira;
            client_max_body_size 10M;
    		if ($uri ~* "/servicedesk/.*\.jsp.*"){ return 403;}
  2. Restart your NGINX

製品Jira Service Desk
最終更新日 2019 年 11 月 6 日


Powered by Confluence and Scroll Viewport.