Detections
Analytics
Atlassian JIRA Multiple Vulnerabilities (JRASERVER-69245) (JRASERVER-69246)
high Nessus Plugin ID 124772
Language:
Synopsis
The remote web server hosts a web application that is potentially affected by multiple vulnerabilitiesDescription
According to its self-reported version number, the instance of Atlassian JIRA hosted on the remote web server is prior to 7.13.2 or 8.0.x prior to 8.0.2. It is, therefore, affected by multiple vulnerabilities:- An information disclosure vulnerability exists in Jira's BrowserProjects.jspa component. An unauthenticated, remote attacker can exploit this, by sending crafted HTTP requests, to disclose information about archived projects (CVE-2019-3399).
- A cross-site scripting (XSS) vulnerability exists due to improper validation of user-supplied input before returning it to users. An unauthenticated, remote attacker can exploit this, by convincing a user to click a specially crafted URL, to execute arbitrary script code in a user's browser session (CVE-2019-3400).
Solution
Upgrade to Atlassian JIRA version 7.13.2 / 8.0.2See Also
Plugin Details
Severity: High
ID: 124772
File Name: jira_8_0_2.nasl
Version: 1.6
Type: combined
Agent: windows, macosx, unix
Family: CGI abuses
Published: 5/10/2019
Updated: 4/11/2022
Configuration: Enable thorough checks
Supported Sensors: Nessus Agent, Nessus
Risk Information
VPR
Risk Factor: Low
Score: 3.6
CVSS v2
Risk Factor: Medium
Base Score: 5
Temporal Score: 3.7
Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSS Score Source: CVE-2019-3399
CVSS v3
Risk Factor: High
Base Score: 7.5
Temporal Score: 6.5
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C
Vulnerability Information
CPE: cpe:/a:atlassian:jira
Required KB Items: installed_sw/Atlassian JIRA
Exploit Ease: No known exploits are available
Patch Publication Date: 3/5/2019
Vulnerability Publication Date: 4/29/2019
Reference Information
CVE: CVE-2019-3399, CVE-2019-3400
BID: 108168