CVE-2019-9005
Description
The Cprime Power Scripts app before 4.0.14 for Atlassian Jira allows Directory Traversal.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Directory traversal in Cprime Power Scripts for Jira before 4.0.14 allows authenticated users to read arbitrary server files.
Vulnerability
The Cprime Power Scripts add-on for Atlassian Jira (versions before 4.0.14) contains a directory traversal vulnerability in its REST API. Specifically, the endpoints /rest/keplerrominfo/jjupin/2.0/wfviewer/filecheck and /rest/keplerrominfo/jjupin/2.0/wfviewer/filecontent do not properly validate user authorization, allowing any authenticated Jira user to probe for and read arbitrary files from the server filesystem [1]. The vulnerability exists because these endpoints, intended for administrator use, lack proper access control checks.
Exploitation
An attacker needs only a valid Jira user account (any privilege level) and network access to the Jira instance. The attacker can send crafted HTTP GET requests to the vulnerable endpoints with a path parameter containing directory traversal sequences (e.g., c:\Windows\win.ini on Windows or /etc/passwd on Linux). The filecheck endpoint returns a JSON response indicating whether the file exists, while filecontent returns the file's contents [1]. No additional user interaction or special privileges are required.
Impact
Successful exploitation allows an authenticated attacker to read arbitrary files from the Jira server's filesystem. This can lead to disclosure of sensitive information such as configuration files, credentials, source code, or other data stored on the server. The vulnerability does not allow file modification or code execution, but the information disclosure can be critical for further attacks [1].
Mitigation
The vendor released version 4.0.14 of Power Scripts to fix this vulnerability [1]. Users should upgrade to version 4.0.14 or later. No workarounds are documented; the fix adds proper authorization checks to the affected endpoints. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog as of this writing.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: <4.0.14
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing authorization checks on REST API endpoints allow any authenticated user to read arbitrary server files."
Attack vector
An authenticated Jira user can send crafted GET requests to the `wfviewer/filecheck` or `wfviewer/filecontent` REST endpoints, supplying a `path` parameter with directory traversal sequences (e.g., URL-encoded `c:\Windows\win.ini`) [ref_id=1]. The server responds with file existence information or the raw file content, enabling an attacker to probe for and read arbitrary files from the Jira server filesystem [ref_id=1]. No special administrative privileges are required because the endpoints lack authorization checks [ref_id=1].
Affected code
The vulnerability resides in the REST API endpoints `/rest/keplerrominfo/jjupin/2.0/wfviewer/filecheck` and `/rest/keplerrominfo/jjupin/2.0/wfviewer/filecontent` within the cPrime Power Scripts addon for Jira [ref_id=1]. These endpoints accept a `path` parameter to probe and read arbitrary files from the server filesystem [ref_id=1].
What the fix does
The advisory states that version 4.0.14 contains the fix, but no patch diff is provided in the bundle [ref_id=1]. The remediation guidance is to upgrade to Power Scripts version 4.0.14 or later, which the vendor has released to address the missing authorization checks on the vulnerable REST endpoints [ref_id=1].
Preconditions
- authAttacker must have a valid Jira user account (any privilege level)
- networkAttacker must have network access to the Jira server's REST API
- configThe vulnerable Power Scripts addon version must be below 4.0.14
Reproduction
curl -s -u <user>:<password> "http://jira.server.intern/rest/keplerrominfo/jjupin/2.0/wfviewer/filecheck?path=c%3A%2FWindows%2Fwin.ini&_=1514764800000" returns `{"id":9}` indicating the file exists. curl -s -u <user>:<password> "http://jira.server.intern/rest/keplerrominfo/jjupin/2.0/wfviewer/filecontent?path=c%3A%2FWindows%2Fwin.ini&_=1514764800000" returns the raw file content [ref_id=1].
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2- marketplace.atlassian.com/apps/43318/power-scripts-jira-script-automation/version-historymitrex_refsource_CONFIRM
- www.detack.de/en/cve-2019-9005mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.