Detections
Analytics
Atlassian JIRA Open Redirect Vulnerabilities
medium Nessus Plugin ID 128282
Language:
Synopsis
The remote web server hosts a web application that is potentially affected by multiple vulnerabilities.Description
According to its self-reported version number, the instance of Atlassian JIRA hosted on the remote web server is prior to 7.3.16, 8.2.x prior to 8.2.3, or 8.3.x prior to 8.3.2. It is, therefore, affected by multiple vulnerabilities:- An open rediect vulnerability exists in startup.jsp. An unauthenticated, remote attacker can exploit this by convincing a user to click a specially crafted URL, to redirect the user's browser to an unexpected malicious page. (CVE-2019-11585)
- An open redirect vulnerability exists in the ChangeSharedFilterOwner resource. An unauthenticated, remote attacker can exploit this by convincing a user to click a specially crafted URL, to redirect the user's browser and potentially steal their CSRF token. (CVE-2019-11589)
Solution
Upgrade to Atlassian JIRA version 7.13.6 / 8.2.3 / 8.3.2 or later.See Also
Plugin Details
Severity: Medium
ID: 128282
File Name: jira_7_13_6.nasl
Version: 1.5
Type: combined
Agent: windows, macosx, unix
Family: CGI abuses
Published: 8/28/2019
Updated: 4/11/2022
Configuration: Enable thorough checks
Supported Sensors: Nessus Agent, Nessus
Risk Information
VPR
Risk Factor: Low
Score: 3.0
CVSS v2
Risk Factor: Medium
Base Score: 5.8
Temporal Score: 4.3
Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N
CVSS Score Source: CVE-2019-11589
CVSS v3
Risk Factor: Medium
Base Score: 6.1
Temporal Score: 5.3
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C
Vulnerability Information
CPE: cpe:/a:atlassian:jira
Required KB Items: installed_sw/Atlassian JIRA
Exploit Ease: No known exploits are available
Patch Publication Date: 8/9/2019
Vulnerability Publication Date: 8/9/2019
Reference Information
CVE: CVE-2019-11585, CVE-2019-11589