SB2020031721 - Multiple vulnerabilities in Atlassian JIRA

Description

This security bulletin contains information about 3 secuirty vulnerabilities.

1) Input validation error (CVE-ID: CVE-2019-20899)

The vulnerability allows a remote non-authenticated attacker to perform service disruption.

The Gadget API in Atlassian Jira Server and Data Center in affected versions allows remote attackers to make Jira unresponsive via repeated requests to a certain endpoint in the Gadget API. The affected versions are before version 8.5.4, and from version 8.6.0 before 8.6.1.

2) Server-Side Request Forgery (SSRF) (CVE-ID: CVE-2019-20408)

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

The /plugins/servlet/gadgets/makeRequest resource in Jira before version 8.7.0 allows remote attackers to access the content of internal network resources via a Server Side Request Forgery (SSRF) vulnerability due to a logic bug in the JiraWhitelist class.

3) Missing Authorization (CVE-ID: CVE-2019-20407)

The vulnerability allows a remote authenticated user to gain access to sensitive information.

The ConfigureBambooRelease resource in Jira Software and Jira Software Data Center before version 8.6.1 allows authenticated remote attackers to view release version information in projects that they do not have access to through an missing authorisation check.

Remediation

Install update from vendor's website.

References

• https://jira.atlassian.com/browse/JRASERVER-70808
• https://jira.atlassian.com/browse/JRASERVER-71204
• https://jira.atlassian.com/browse/JRASERVER-70599