Atlassian Jira 7.13.x < 7.13.4, 8.0.x < 8.0.4, 8.1.x < 8.1.1 Multiple Vulnerabilities
Medium Nessus Plugin ID 125629
SynopsisThe remote web server hosts a web application that is potentially affected by multiple vulnerabilities.
DescriptionAccording to its self-reported version number, the instance of Atlassian Jira hosted on the remote web server is potentially affected by multiple vulnerabilities:
- A directory traversal vulnerability exists in the CachingResourceDownloadRewriteRule class due to an ineffective path access check. An unauthenticated, remote attacker can exploit this, by accessing files in the Jira webroot under the META-INF. (CVE-2019-8442)
- An authentication bypass vulnerability exists in the ViewUpgrades resource due to an improper access control. An unauthenticated, remote attacker can exploit this, to bypass WebSudo authentication and access the ViewUpgrades administrative resource. (CVE-2019-8443)
SolutionUpgrade to Atlassian Jira version 7.13.4 / 8.1.1 or later.