SB2024032152 - Jira Software Data Center and Server update for nekohtml

Description

This security bulletin contains information about 3 secuirty vulnerabilities.

1) Improper input validation (CVE-ID: CVE-2022-24839)

The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the Centralized Third Party Jars (NekoHTML) component in Oracle WebLogic Server. A remote non-authenticated attacker can exploit this vulnerability to perform a denial of service (DoS) attack.

2) Input validation error (CVE-ID: CVE-2022-28366)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of crafted Processing Instruction (PI) input. A remote attacker can trick the victim to visit a specially crafted web page and perform a denial of service (DoS) attack.

3) Input validation error (CVE-ID: CVE-2022-29546)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient input validation when parsing the Processing Instruction (PI) data. A remote attacker can trick the victim to open a specially crafted web page and perform a denial of service (DoS) attack.

Remediation

Install update from vendor's website.

References

• https://jira.atlassian.com/browse/JSWSERVER-25844"
• https://jira.atlassian.com/browse/JSWSERVER-25844</a></p><p><a
• https://jira.atlassian.com/browse/JSWSERVER-25843"
• https://jira.atlassian.com/browse/JSWSERVER-25843</a></p><p>
• https://jira.atlassian.com/browse/JSWSERVER-25842<br></p>