Uploaded image for project: 'Jira Server and Data Center'
  1. Jira Server and Data Center
  2. JRASERVER-29403

Privilege escalation vulnerability

    XMLWordPrintable

Details

    Description

      NOTE: This bug report is for JIRA Server. Using JIRA Cloud? See the corresponding bug report.

      We have identified and fixed a privilege escalation vulnerabilities that affect JIRA instances, including publicly available instances (that is, Internet-facing servers). This vulnerability allows an attacker to bypass authentication and authorisation controls by hitting specially crafted URLs. The attacker does not need to have an account on the affected JIRA server. The attacker will be able to execute a large number of administrative actions.

      This vulnerability has been fixed in JIRA 5.0.7 and later. Patches are available for JIRA 4.3.4, 4.4.5 and 5.0.6.

      Full details are available in the advisory at https://confluence.atlassian.com/display/JIRA/JIRA+Security+Advisory+2012-08-28

      Note: the patch instructions files refer to JRA-29138, please ignore this, they are indeed the correct instructions.
      Note 2: If you encounter error messages after applying the patch, see if this KB article applies

      Attachments

        1. JRA-29403-4.3.4-patch.md5
          0.1 kB
        2. JRA-29403-4.3.4-patch.zip
          393 kB
        3. JRA-29403-4.3.4-patch-instructions.txt
          5 kB
        4. JRA-29403-4.4.5-patch.md5
          0.1 kB
        5. JRA-29403-4.4.5-patch.zip
          396 kB
        6. JRA-29403-4.4.5-patch-instructions.txt
          5 kB
        7. JRA-29403-5.0.6-patch.md5
          0.1 kB
        8. JRA-29403-5.0.6-patch.zip
          398 kB
        9. JRA-29403-5.0.6-patch-instructions.txt
          5 kB

        Issue Links

          Activity

            People

              vosipov VitalyA
              vosipov VitalyA
              Votes:
              0 Vote for this issue
              Watchers:
              12 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: