Atlassian releases updates for Jira Service Desk and Jira Data Center to fix a critical-severity security bug that can be exploited by anyone with access to a vulnerable customer portal. The bug is a URL path traversal leading to information disclosure and is now tracked as CVE-2019-14994. The vulnerability is connected to a previous vulnerability disclosed by researcher Orange Tsai to Uber in 2018, which permitted access to the company’s internal server by adding “..;”” to the URL path parameter. The company recommends adding the rule below to the “”URLwrite”” section of “”[jira-installation-directory]/atlassian-jira”””
Source: https://www.bleepingcomputer.com/news/security/jira-server-and-service-desk-fix-critical-security-bugs/