Atlassian JIRA 7.13.x < 7.13.6 / 8.x < 8.2.3 / 8.3.x < 8.3.2 Multiple Vulnerabilities

Medium Nessus Plugin ID 129593

Synopsis

The remote web server hosts a web application that is potentially affected by multiple vulnerabilities.

Description

According to its self-reported version number, the instance of Atlassian JIRA hosted on the remote web server is potentially affected by multiple vulnerabilities:

- An open redirect vulnerability exists in the startup.jsp resource. An unauthenticated, remote attacker can exploit this via the network to redirect users to a different website which they may use as part of performing a phishing attack. (CVE-2019-11585)

- A Cross-site request forgery (XSRF) vulnerability exists in the AddResolution.jspa resource. An unauthenticated, remote attacker can exploit this via the network to create new resolutions.
(CVE-2019-11586)

- A Cross-site request forgery (XSRF) vulnerability exists in various exposed resources of the ViewLogging class. An unauthenticated, remote attacker can exploit this via the network to modify various settings.
(CVE-2019-11587)

- A Cross-site request forgery (XSRF) vulnerability exists in the doGarbageCollection method of the ViewSystemInfo class. An unauthenticated, remote attacker can exploit this via the network to trigger garbage collection. (CVE-2019-11588)

- An open redirect vulnerability exists in the ChangeSharedFilterOwner resource. An unauthenticated, remote attacker can exploit this via the network to attack users, and in some cases be able to obtain a user's Cross-site request forgery (XSRF) token. (CVE-2019-11589)

Solution

Upgrade to Atlassian JIRA version 7.13.6 / 8.2.3 / 8.3.2 / 8.4.0 or later.

See Also

https://jira.atlassian.com/browse/JRASERVER-69780

https://jira.atlassian.com/browse/JRASERVER-69781

https://jira.atlassian.com/browse/JRASERVER-69782

https://jira.atlassian.com/browse/JRASERVER-69783

https://jira.atlassian.com/browse/JRASERVER-69784

Plugin Details

Severity: Medium

ID: 129593

File Name: jira_8_3_2_CVE-2019-11585.nasl

Version: 1.2

Type: remote

Family: CGI abuses

Published: 2019/10/07

Updated: 2019/10/17

Dependencies: 45577

Risk Information

Risk Factor: Medium

CVSS Score Source: CVE-2019-11585

CVSS v2.0

Base Score: 5.8

Temporal Score: 4.3

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N

Temporal Vector: CVSS2#E:U/RL:OF/RC:C

CVSS v3.0

Base Score: 6.1

Temporal Score: 5.3

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:atlassian:jira

Required KB Items: installed_sw/Atlassian JIRA

Exploit Ease: No known exploits are available

Patch Publication Date: 2019/07/09

Vulnerability Publication Date: 2019/08/23

Reference Information

CVE: CVE-2019-11585, CVE-2019-11586, CVE-2019-11587, CVE-2019-11588, CVE-2019-11589