Atlassian Jira < 8.4.0 Multiple Vulnerabilities

medium Web Application Scanning Plugin ID 98726
New! Plugin Severity Now Using CVSS v3

The calculated severity for Plugins has been updated to use CVSS v3 by default. Plugins that do not have a CVSS v3 score will fall back to CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Synopsis

Atlassian Jira < 8.4.0 Multiple Vulnerabilities

Description

According to its self-reported version number, the instance of Atlassian Jira hosted on the remote web server is prior to 8.4.0. It is, therefore, affected by multiple vulnerabilities:

- A cross-site scripting (XSS) vulnerability exists in the WikiRenderer parser. A remote attacker can exploit this by creating a specially crafted request that executes arbitrary script code in a user's browser session. (CVE-2019-8444)

- An information disclosure vulnerability exists in the /rest/api/2/worklog/list rest resource. An authenticated, remote attacker can exploit this, to view worklog details for issues they do not have permission to view. (CVE-2019-8445)

- An information disclosure vulnerability exists in the /rest/issueNav/1/issueTable rest resource. A remote anonymous attackers can exploit this to differentiate between valid usernames and invalid usernames. (CVE-2019-8446)

- An information disclosure vulnerability exists in the /rest/api/latest/groupuserpicker resource. An unauthenticated, remote attacker can exploit this, to enumerate usernames due to an incorrect authorization check. (CVE-2019-8449)

- A server-side request forgery (SSRF) vulnerability exists in the /plugins/servlet/gadgets/makeRequest resource due to a logic bug in the JiraWhitelist class. A remote attacker can exploit this to access the content of internal network resources via a Server Side Request Forgery (SSRF) vulnerability. (CVE-2019-8451)

- An authentication bypass vulnerability exists in the /rest/api/1.0/render rest resource. An unauthenticated, remote attacker can exploit this, to determine if an attachment with a specific name exists and if an issue key is valid due to a missing permissions check. (CVE-2019-14995)

- An information disclosure vulnerability exists in the AccessLogFilter class due to a caching vulnerability. A remote anonymous attackers can exploit this to access details about other users, including their username, when Jira is configured with a reverse Proxy and or a load balancer with caching or a CDN. (CVE-2019-14997)

- A cross-site request forgery (XSRF) vulnerability exists in Webwork action Cross-Site Request Forgery (CSRF) protection. A remote attacker can exploit this by bypassing its protection by 'cookie tossing' a CSRF cookie from a subdomain of a Jira instance. (CVE-2019-14998)

Note that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Upgrade to Atlassian Jira version 8.4.0 or later.

See Also

https://confluence.atlassian.com/jirasoftware/issues-resolved-in-8-4-0-976767008.html

https://www.talosintelligence.com/vulnerability_reports/TALOS-2019-0833

https://jira.atlassian.com/browse/JRASERVER-69779

https://www.talosintelligence.com/vulnerability_reports/TALOS-2019-0840

https://jira.atlassian.com/browse/JRASERVER-69778

https://www.talosintelligence.com/vulnerability_reports/TALOS-2019-0839

https://jira.atlassian.com/browse/JRASERVER-69777

https://jira.atlassian.com/browse/JRASERVER-69796

https://jira.atlassian.com/browse/JRASERVER-69793

https://github.com/0xbug/CVE-2019-8451

https://www.talosintelligence.com/vulnerability_reports/TALOS-2019-0837

https://www.talosintelligence.com/vulnerability_reports/TALOS-2019-0836

https://jira.atlassian.com/browse/JRASERVER-69792

https://jira.atlassian.com/browse/JRASERVER-69794

https://www.talosintelligence.com/vulnerability_reports/TALOS-2019-0835

https://jira.atlassian.com/browse/JRASERVER-69791

Plugin Details

Severity: Medium

ID: 98726

Type: remote

Published: 10/9/2019

Updated: 10/7/2021

Scan Template: scan, pci, api

Risk Information

CVSS Score Source: CVE-2019-8451

CVSS v2

Risk Factor: Medium

Base Score: 6.4

Vector: AV:N/AC:L/Au:N/C:P/I:P/A:N

CVSS v3

Risk Factor: Medium

Base Score: 6.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Vulnerability Information

CPE: cpe:2.3:a:atlassian:jira:*:*:*:*:*:*:*:*

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 8/23/2019

Vulnerability Publication Date: 8/23/2019

Reference Information

CVE: CVE-2019-8444, CVE-2019-8445, CVE-2019-8446, CVE-2019-8449, CVE-2019-8451, CVE-2019-14995, CVE-2019-14997, CVE-2019-14998

CWE: 79, 264, 200, 918, 352

WASC: Application Misconfiguration, Cross-Site Request Forgery, Cross-Site Scripting, Information Leakage, Insufficient Authorization

HIPAA: 164.306(a)(1), 164.306(a)(2)

CAPEC: 111, 116, 13, 169, 17, 209, 22, 224, 285, 287, 290, 291, 292, 293, 294, 295, 296, 297, 298, 299, 300, 301, 302, 303, 304, 305, 306, 307, 308, 309, 310, 312, 313, 317, 318, 319, 320, 321, 322, 323, 324, 325, 326, 327, 328, 329, 330, 35, 462, 467, 472, 497, 508, 573, 574, 575, 576, 577, 58, 588, 59, 591, 592, 60, 616, 62, 63, 643, 646, 651, 69, 76, 79, 85

DISA STIG: APSC-DV-000460, APSC-DV-002490, APSC-DV-002500, APSC-DV-002560, APSC-DV-002630

OWASP: 2010-A2, 2010-A5, 2010-A6, 2010-A8, 2013-A3, 2013-A5, 2013-A7, 2013-A8, 2013-A9, 2017-A5, 2017-A6, 2017-A7, 2017-A9, 2021-A1, 2021-A10, 2021-A3, 2021-A6

OWASP API: 2019-API7

OWASP ASVS: 4.0.2-14.2.1, 4.0.2-4.2.2, 4.0.2-5.2.6, 4.0.2-5.3.3, 4.0.2-8.3.4

PCI-DSS: 3.2-6.2, 3.2-6.5.7, 3.2-6.5.8, 3.2-6.5.9

ISO: 27001-A.12.6.1, 27001-A.14.2.5

NIST: sp800_53-CM-6b, sp800_53-SI-10, sp800_53-SI-10(5), sp800_53-SI-15