Uploaded image for project: 'Jira Data Center'
  1. Jira Data Center
  2. JRASERVER-21004

XSS and Privilege Escalation Vulnerabilities in JIRA

XMLWordPrintable

      We have identified and fixed vulnerabilities in JIRA which will allow an attacker to invoke XSS (Cross Site Scripting) attacks and/or obtain escalated account privileges potentially gaining access to the file system. Full details of the severity, risks and vulnerabilities can be found in the JIRA Security Advisory 2010-04-16.

      This patch supercedes both JRA-20994 and JRA-20995 with additional fixes and protection for your JIRA instance.

      We strongly recommend that all customers apply the attached patch immediately to address these vulnerabilities, even if you have already applied JRA-20994 and JRA-20995.

      Before applying the patch, please refer to the following documents, in this order:

      Patches

      Version File
      4.1 patch-JRA-21004-4.1.zip
      4.0.2 patch-JRA-21004-4.0.2.zip
      4.0.1 patch-JRA-21004-4.0.1.zip
      4.0 patch-JRA-21004-4.0.zip
      3.13.5 patch-JRA-21004-3.13.5.zip
      3.13.4 patch-JRA-21004-3.13.4.zip
      3.13.3 patch-JRA-21004-3.13.3.zip
      3.13.2 patch-JRA-21004-3.13.2.zip
      3.13.1 patch-JRA-21004-3.13.1.zip
      3.13 patch-JRA-21004-3.13.zip
      3.12.3 patch-JRA-21004-3.12.3.zip
      3.12.2 patch-JRA-21004-3.12.2.zip
      3.12.1 patch-JRA-21004-3.12.1.zip
      3.12 patch-JRA-21004-3.12.zip

        1. SysInfoPatch.png
          SysInfoPatch.png
          22 kB

            [JRASERVER-21004] XSS and Privilege Escalation Vulnerabilities in JIRA

            "><trrthfgtfnhfgg "><trrthfgtfnhfgg added a comment -

            "><img src=c onerror=alert()>

            "><trrthfgtfnhfgg "><trrthfgtfnhfgg added a comment - "><img src=c onerror=alert()>

            darrenpegg added a comment - - edited

            <Removed>

            darrenpegg added a comment - - edited <Removed>

            Mike P. added a comment -

            This patch has caused the 'Contact Administrators' page to display nothing in its list of admins, yet still displays the same text as before. Is there a way for me to override this behavior so that I can display some contact info for our users?

            Mike P. added a comment - This patch has caused the 'Contact Administrators' page to display nothing in its list of admins, yet still displays the same text as before. Is there a way for me to override this behavior so that I can display some contact info for our users?

            Bogdan Dziedzic [Atlassian] added a comment - - edited

            Easiest way to verify if the patch is operating correctly is to ensure that operations on backup and index directories are not allowed from UI as outlined in JIRA Security Advisory 2010-04-16.

            Additionally, for the 4.0+ releases the successful patch installation can be verified by:

            1. reviewing JIRA statup logs for the following entry 
              ___ Applied Patches ______________

     JRA-21004                           : A patch to fix problems caused by JRA-21004
            2. checking the System Info page

            Unfortunately, any earlier JIRA releases can't present this information.

            In the older releases, you can confirm the patch deployment by ensuring that <jira_install_dir>/WEB-INF/classes/patches/JRA-21004.readme exists in your JIRA.

            Bogdan Dziedzic [Atlassian] added a comment - - edited Easiest way to verify if the patch is operating correctly is to ensure that operations on backup and index directories are not allowed from UI as outlined in JIRA Security Advisory 2010-04-16 . Additionally, for the 4.0+ releases the successful patch installation can be verified by: reviewing JIRA statup logs for the following entry ___ Applied Patches ______________ JRA-21004 : A patch to fix problems caused by JRA-21004 checking the System Info page Unfortunately, any earlier JIRA releases can't present this information. In the older releases, you can confirm the patch deployment by ensuring that <jira_install_dir>/WEB-INF/classes/patches/ JRA-21004 .readme exists in your JIRA.

            Penny Wyatt (On Leave to July 2021) added a comment -

            These issues have been verified as fixed in JIRA 4.1.1.
            Earlier versions of JIRA will still need to be patched, as described above.

            Penny Wyatt (On Leave to July 2021) added a comment - These issues have been verified as fixed in JIRA 4.1.1. Earlier versions of JIRA will still need to be patched, as described above.

            Ivar Ekman added a comment -

            I have checked that (for example) the attachment settings page has changed after applying the patch. This just ensures me that the correct (new) war was deployed.

            Ivar Ekman added a comment - I have checked that (for example) the attachment settings page has changed after applying the patch. This just ensures me that the correct (new) war was deployed.

            Felix Herzog added a comment -

            Is there a way to proof that the patch applied?

            Felix Herzog added a comment - Is there a way to proof that the patch applied?

              Unassigned Unassigned
              bbaker ɹǝʞɐq pɐɹq
              Affected customers:
              0 This affects my team
              Watchers:
              21 Start watching this issue

                Created:
                Updated:
                Resolved: