Atlassian JIRA < 4.1.2 Multiple Vulnerabilities

Medium Nessus Network Monitor Plugin ID 5577

Synopsis

The remote web server hosts an application that is vulnerable to multiple attack vectors.

Description

Atlassian JIRA, a web-based application for bug tracking, issue tracking, and project management is installed on the remote web server. Versions of JIRA earlier than 4.1.2 are potentially affected by multiple vulnerabilities :

- Multiple cross-site scripting vulnerabilities in URL query strings.
- JIRA standalone fails to properly protect sensitive cookie data with the 'HTTPOnly' protection mechanism.
- Users without the 'JIRA Users' permission can login via crowd single-sign-on.
- A cross-site request forgery in the 'logout' action.
- Multiple vulnerabilities in the FishEye plugin.
- A security vulnerability in the Bamboo plugin.

Solution

Upgrade to Atlassian JIRA 4.1.2 or later.

See Also

http://confluence.atlassian.com/display/JIRA/JIRA+Security+Advisory+2010-06-18

http://www.nessus.org/u?28b67183

Plugin Details

Severity: Medium

ID: 5577

Family: CGI

Published: 2010/06/21

Modified: 2016/01/15

Dependencies: 1442

Nessus ID: 47114

Risk Information

Risk Factor: Medium

CVSSv2

Base Score: 4

Temporal Score: 3

Vector: CVSS2#AV:N/AC:L/Au:S/C:N/I:P/A:N

Temporal Vector: CVSS2#E:U/RL:OF/RC:C

CVSSv3

Base Score: 5.3

Temporal Score: 5.1

Vector: CVSS3#AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Temporal Vector: CVSS3#E:X/RL:O/RC:C

Vulnerability Information

Patch Publication Date: 2010/06/18

Vulnerability Publication Date: 2010/06/18

Reference Information

BID: 40950, 40953, 40955