Detections
Analytics

Atlassian JIRA < 4.1.2 Multiple Vulnerabilities

medium Nessus Network Monitor Plugin ID 5577

Synopsis

The remote web server hosts an application that is vulnerable to multiple attack vectors.

Description

Atlassian JIRA, a web-based application for bug tracking, issue tracking, and project management is installed on the remote web server. Versions of JIRA earlier than 4.1.2 are potentially affected by multiple vulnerabilities :

 - Multiple cross-site scripting vulnerabilities in URL query strings.
 - JIRA standalone fails to properly protect sensitive cookie data with the 'HTTPOnly' protection mechanism.
 - Users without the 'JIRA Users' permission can login via crowd single-sign-on.
 - A cross-site request forgery in the 'logout' action.
 - Multiple vulnerabilities in the FishEye plugin.
 - A security vulnerability in the Bamboo plugin.

Solution

Upgrade to Atlassian JIRA 4.1.2 or later.

See Also

http://confluence.atlassian.com/display/JIRA/JIRA+Security+Advisory+2010-06-18

http://www.nessus.org/u?28b67183

Plugin Details

Severity: Medium

ID: 5577

Family: CGI

Published: 6/21/2010

Updated: 3/6/2019

Nessus ID: 47114

Risk Information

CVSS v2

Risk Factor: Medium

Base Score: 4

Temporal Score: 3

Vector: CVSS2#AV:N/AC:L/Au:S/C:N/I:P/A:N

CVSS v3

Risk Factor: Medium

Base Score: 5.3

Temporal Score: 5.1

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Temporal Vector: CVSS:3.0/E:X/RL:O/RC:C

Vulnerability Information

Patch Publication Date: 6/18/2010

Vulnerability Publication Date: 6/18/2010

Reference Information

BID: 40950, 40953, 40955