SB2019091807 - Multiple vulnerabilities in Atlassian Jira
Published: September 18, 2019
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 17 secuirty vulnerabilities.
1) Open redirect (CVE-ID: CVE-2019-11589)
The vulnerability allows a remote attacker to redirect victims to arbitrary URL.
The vulnerability exists due to improper sanitization of user-supplied data in the ChangeSharedFilterOwner resource. A remote attacker can create a link that leads to a trusted website, however, when clicked, redirects the victim to arbitrary domain and obtain a user's Cross-site request forgery (CSRF) token in some cases.
Successful exploitation of this vulnerability may allow a remote attacker to perform a phishing attack and steal potentially sensitive information.
2) Cross-site request forgery (CVE-ID: CVE-2019-11588)
The vulnerability allows a remote attacker to perform cross-site request forgery attacks.
The vulnerability exists due to insufficient validation of the HTTP request origin passed via the "doGarbageCollection" method to the "ViewSystemInfo" class. A remote attacker can trick the victim to visit a specially crafted web page and perform arbitrary actions on behalf of the victim on the vulnerable website such as trigger garbage collection.
3) Cross-site request forgery (CVE-ID: CVE-2019-11587)
The vulnerability allows a remote attacker to perform cross-site request forgery attacks.
The vulnerability exists due to insufficient validation of the HTTP request origin in the various exposed resources of the ViewLogging class. A remote attacker can trick the victim to visit a specially crafted web page and perform arbitrary actions on behalf of the victim on the vulnerable website such as modify various settings.
4) Cross-site request forgery (CVE-ID: CVE-2019-11586)
The vulnerability allows a remote attacker to perform cross-site request forgery attacks.
The vulnerability exists due to insufficient validation of the HTTP request origin in the AddResolution.jspa resource. A remote attacker can trick the victim to visit a specially crafted web page and perform arbitrary actions on behalf of the victim on the vulnerable website such as create new resolutions.
5) Open redirect (CVE-ID: CVE-2019-11585)
The vulnerability allows a remote attacker to redirect victims to arbitrary URL.
The vulnerability exists due to improper sanitization of user-supplied data in the startup.jsp resource. A remote attacker can create a link that leads to a trusted website, however, when clicked, redirects the victim to arbitrary domain.
Successful exploitation of this vulnerability may allow a remote attacker to perform a phishing attack and steal potentially sensitive information.
6) Stored cross-site scripting (CVE-ID: CVE-2019-11584)
The vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data when processing data in the priority icon url of an issue priority. A remote authenticated administrator can upload a malicious icon and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
7) Cross-site request forgery (CVE-ID: CVE-2019-8447)
The vulnerability allows a remote attacker to perform cross-site request forgery attacks.
The vulnerability exists due to insufficient validation of the HTTP request origin in the ServiceExecutor resource. A remote attacker can trick the victim to visit a specially crafted web page and perform arbitrary actions on behalf of the victim on the vulnerable website such as trigger the creation of export files.
8) Cross-site scripting (CVE-ID: CVE-2019-8450)
The vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data in the Optimization plugin. A remote authenticated attacker with permission to manage custom fields can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in the name of a custom field in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
9) Information disclosure (CVE-ID: CVE-2019-8449)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to an information expose in the "/rest/api/latest/groupuserpicker" resource. A remote attacker can enumerate usernames and gain unauthorized access to sensitive information on the system.
10) Server-Side Request Forgery (SSRF) (CVE-ID: CVE-2019-8451)
The disclosed vulnerability allows a remote attacker to perform SSRF attacks.
The vulnerability exists due to insufficient validation of user-supplied input in the "/plugins/servlet/gadgets/makeRequest" resource. A remote attacker can send a specially crafted HTTP request, gain access to the content of internal network resources due to a logic bug in the "JiraWhitelist" class and trick the application to initiate requests to arbitrary systems.
Successful exploitation of this vulnerability may allow a remote attacker gain access to sensitive data, located in the local network or send malicious requests to other servers from the vulnerable system.
11) Information disclosure (CVE-ID: CVE-2019-14997)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to an information expose in the "AccessLogFilter" class. A remote attacker can gain unauthorized access to details about other users, including their username.
12) Cross-site scripting (CVE-ID: CVE-2019-14996)
The vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists in the "FilterPickerPopup.jspa" resource due to insufficient sanitization of user-supplied data in the "searchOwnerUserName" parameter. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
13) Missing Authorization (CVE-ID: CVE-2019-14995)
14) Missing Authorization (CVE-ID: CVE-2019-8445)
15) Missing authorization (CVE-ID: CVE-2019-8446)
16) Cross-site request forgery (CVE-ID: CVE-2019-14998)
The vulnerability allows a remote attacker to perform cross-site request forgery attacks.
The vulnerability exists due to insufficient validation of the HTTP request origin in the Webwork action Cross-Site Request Forgery (CSRF) protection implementation. A remote attacker can bypass its protection via "cookie tossing", trick the victim to visit a specially crafted web page and perform arbitrary actions on behalf of the victim on the vulnerable website.
17) Cross-site scripting (CVE-ID: CVE-2019-8444)
The vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists in the wikirenderer component due to insufficient sanitization of user-supplied data in image attribute specification. A remote authenticated attacker can send a specially crafted comment or worklog, trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
Remediation
Install update from vendor's website.
References
- https://jira.atlassian.com/browse/JRASERVER-69780
- https://jira.atlassian.com/browse/JRASERVER-69781
- https://jira.atlassian.com/browse/JRASERVER-69782
- https://jira.atlassian.com/browse/JRASERVER-69783
- https://jira.atlassian.com/browse/JRASERVER-69784
- https://jira.atlassian.com/browse/JRASERVER-69785
- https://jira.atlassian.com/browse/JRASERVER-69776
- https://jira.atlassian.com/browse/JRASERVER-69795
- https://jira.atlassian.com/browse/JRASERVER-69796
- https://jira.atlassian.com/browse/JRASERVER-69793
- https://jira.atlassian.com/browse/JRASERVER-69794
- https://jira.atlassian.com/browse/JRASERVER-69790
- https://jira.atlassian.com/browse/JRASERVER-69792
- https://www.talosintelligence.com/vulnerability_reports/TALOS-2019-0836
- https://www.talosintelligence.com/vulnerability_reports/TALOS-2019-0837
- https://jira.atlassian.com/browse/JRASERVER-69778
- https://www.talosintelligence.com/vulnerability_reports/TALOS-2019-0840
- https://jira.atlassian.com/browse/JRASERVER-69777
- https://www.talosintelligence.com/vulnerability_reports/TALOS-2019-0839
- https://jira.atlassian.com/browse/JRASERVER-69791
- https://www.talosintelligence.com/vulnerability_reports/TALOS-2019-0835
- https://jira.atlassian.com/browse/JRASERVER-69779
- https://www.talosintelligence.com/vulnerability_reports/TALOS-2019-0833