Atlassian JIRA < 4.1.2 Multiple Vulnerabilities
Medium Nessus Network Monitor Plugin ID 5577
SynopsisThe remote web server hosts an application that is vulnerable to multiple attack vectors.
DescriptionAtlassian JIRA, a web-based application for bug tracking, issue tracking, and project management is installed on the remote web server. Versions of JIRA earlier than 4.1.2 are potentially affected by multiple vulnerabilities :
- Multiple cross-site scripting vulnerabilities in URL query strings.
- JIRA standalone fails to properly protect sensitive cookie data with the 'HTTPOnly' protection mechanism.
- Users without the 'JIRA Users' permission can login via crowd single-sign-on.
- A cross-site request forgery in the 'logout' action.
- Multiple vulnerabilities in the FishEye plugin.
- A security vulnerability in the Bamboo plugin.
SolutionUpgrade to Atlassian JIRA 4.1.2 or later.