CVE-2019-20100: 
JIRA vulnerability analysis and mitigation

The Atlassian Application Links plugin was found to be vulnerable to cross-site request forgery (CSRF), identified as CVE-2019-20100. The vulnerability affects all versions prior to 5.4.21, versions 6.0.0 to 6.0.12, 6.1.0 to 6.1.2, 7.0.0 to 7.0.2, and 7.1.0 to 7.1.3. This plugin is used by Atlassian Jira Server and Data Center versions before 8.7.0 (CVE Details, Tenable Advisory).

The vulnerability exists in the application links configuration endpoint '/rest/applinks/3.0/applicationlinkForm/manifest.json'. The CSRF vulnerability could be exploited if an attacker convinces a user with an active WebSudo session and permissions to create application links to click on a crafted link. The vulnerability received a CVSSv2 Base Score of 5.8 (Medium) with a vector of (AV:N/AC:M/Au:N/C:P/I:P/A:N) (Tenable Advisory).

If successfully exploited, this vulnerability allows attackers to enumerate hosts and open ports on the internal network where the Jira server is present. This could potentially expose sensitive network infrastructure information to unauthorized parties (CVE Details).

The recommended mitigation is to upgrade to Jira version 8.7.0 or above. This version includes the necessary security fixes to address the CSRF vulnerability (Tenable Advisory).