[JRACLOUD-29403] Privilege escalation vulnerability

Type: Bug
Resolution: Fixed
Priority: High
Component/s: None
Labels:

Bug Fix Policy:
View Atlassian Cloud bug fix policy

NOTE: This bug report is for JIRA Cloud. Using JIRA Server? See the corresponding bug report.

We have identified and fixed a privilege escalation vulnerabilities that affect JIRA instances, including publicly available instances (that is, Internet-facing servers). This vulnerability allows an attacker to bypass authentication and authorisation controls by hitting specially crafted URLs. The attacker does not need to have an account on the affected JIRA server. The attacker will be able to execute a large number of administrative actions.

This vulnerability has been fixed in JIRA 5.0.7 and later. Patches are available for JIRA 4.3.4, 4.4.5 and 5.0.6.

Full details are available in the advisory at https://confluence.atlassian.com/display/JIRA/JIRA+Security+Advisory+2012-08-28

Note: the patch instructions files refer to JRA-29138, please ignore this, they are indeed the correct instructions.
Note 2: If you encounter error messages after applying the patch, see if this KB article applies

- - Sort By Name
  - Sort By Date
  - Ascending
  - Descending
  - Thumbnails
  - List

JRA-29403-4.3.4-patch.md5
0.1 kB
20/Aug/2012 4:07 AM
JRA-29403-4.3.4-patch.zip
393 kB
20/Aug/2012 4:07 AM
JRA-29403-4.3.4-patch-instructions.txt
5 kB
20/Aug/2012 4:07 AM
JRA-29403-4.4.5-patch.md5
0.1 kB
20/Aug/2012 4:07 AM
JRA-29403-4.4.5-patch.zip
396 kB
20/Aug/2012 4:07 AM
JRA-29403-4.4.5-patch-instructions.txt
5 kB
20/Aug/2012 4:07 AM
JRA-29403-5.0.6-patch.md5
0.1 kB
20/Aug/2012 4:07 AM
JRA-29403-5.0.6-patch.zip
398 kB
20/Aug/2012 4:07 AM
JRA-29403-5.0.6-patch-instructions.txt
5 kB
20/Aug/2012 4:07 AM

is related to

JRASERVER-29403 Privilege escalation vulnerability

Closed

Rodrigo Borghette Schmidt added a comment - 30/Aug/2012 12:01 AM

Is a patch for 3.13.5 expected?

Rodrigo Borghette Schmidt added a comment - 30/Aug/2012 12:01 AM Is a patch for 3.13.5 expected?

Sven Wunsch added a comment - 29/Aug/2012 10:26 AM

Could i heave a example of the Bug becouse we got an old version of JIRA and we heave to trye to secure our Instance until we can Upgrade. But i need to reproduce the Bug first to see how i can prevent the bad URL to be used.

Sven Wunsch added a comment - 29/Aug/2012 10:26 AM Could i heave a example of the Bug becouse we got an old version of JIRA and we heave to trye to secure our Instance until we can Upgrade. But i need to reproduce the Bug first to see how i can prevent the bad URL to be used.

VitalyA added a comment - 29/Aug/2012 7:49 AM - edited

To apply the patch for 4.4.5, is it required to update JIRA to 4.4.5 first?

This is correct. Please raise a support request if you need help with upgrading.

VitalyA added a comment - 29/Aug/2012 7:49 AM - edited To apply the patch for 4.4.5, is it required to update JIRA to 4.4.5 first? This is correct. Please raise a support request if you need help with upgrading.

VitalyA added a comment - 29/Aug/2012 7:48 AM

All versions earlier than 5.0.7 are affected.

VitalyA added a comment - 29/Aug/2012 7:48 AM All versions earlier than 5.0.7 are affected.

Ohnuki Hiroshi added a comment - 29/Aug/2012 7:32 AM

Is Jira 4.1.2 affected?

Ohnuki Hiroshi added a comment - 29/Aug/2012 7:32 AM Is Jira 4.1.2 affected?

Russ Frizzell added a comment - 28/Aug/2012 5:38 PM

To apply the patch for 4.4.5, is it required to update JIRA to 4.4.5 first? We are currently on 4.4.3. Thanks for the notification.

Russ Frizzell added a comment - 28/Aug/2012 5:38 PM To apply the patch for 4.4.5, is it required to update JIRA to 4.4.5 first? We are currently on 4.4.3. Thanks for the notification.

Bettina Zucker added a comment - 28/Aug/2012 3:18 PM

Is jira 4.0.2 affected?

Bettina Zucker added a comment - 28/Aug/2012 3:18 PM Is jira 4.0.2 affected?

Lars Raeder added a comment - 28/Aug/2012 1:58 PM

Is Jira 3.13.5 affected?

Lars Raeder added a comment - 28/Aug/2012 1:58 PM Is Jira 3.13.5 affected?

VitalyA added a comment - 20/Aug/2012 4:07 AM

Patches for JIRA 4.3.4, 4.4.5, 5.0.6, and instructions on how to apply them are attached to this issue.

VitalyA added a comment - 20/Aug/2012 4:07 AM Patches for JIRA 4.3.4, 4.4.5, 5.0.6, and instructions on how to apply them are attached to this issue.

Assignee:: VitalyA

Reporter:: VitalyA

Affected customers:: 0 This affects my team

Watchers:: 12 Start watching this issue

Created:: 20/Aug/2012 4:04 AM

Updated:: 15/Aug/2019 5:32 AM

Resolved:: 20/Aug/2012 4:07 AM

Jira Platform Cloud

Details

Description

Attachments

Attachments

Issue Links

Forms

Activity

Collapse comment: Rodrigo Borghette Schmidt added a comment - 30/Aug/2012 12:01 AM

Expand comment: Rodrigo Borghette Schmidt added a comment - 30/Aug/2012 12:01 AM

Collapse comment: Sven Wunsch added a comment - 29/Aug/2012 10:26 AM

Expand comment: Sven Wunsch added a comment - 29/Aug/2012 10:26 AM

Collapse comment: VitalyA added a comment - 29/Aug/2012 7:49 AM, Edited by VitalyA - 29/Aug/2012 7:49 AM

Expand comment: VitalyA added a comment - 29/Aug/2012 7:49 AM, Edited by VitalyA - 29/Aug/2012 7:49 AM

Collapse comment: VitalyA added a comment - 29/Aug/2012 7:48 AM

Expand comment: VitalyA added a comment - 29/Aug/2012 7:48 AM

Collapse comment: Ohnuki Hiroshi added a comment - 29/Aug/2012 7:32 AM

Expand comment: Ohnuki Hiroshi added a comment - 29/Aug/2012 7:32 AM

Collapse comment: Russ Frizzell added a comment - 28/Aug/2012 5:38 PM

Expand comment: Russ Frizzell added a comment - 28/Aug/2012 5:38 PM

Collapse comment: Bettina Zucker added a comment - 28/Aug/2012 3:18 PM

Expand comment: Bettina Zucker added a comment - 28/Aug/2012 3:18 PM

Collapse comment: Lars Raeder added a comment - 28/Aug/2012 1:58 PM

Expand comment: Lars Raeder added a comment - 28/Aug/2012 1:58 PM

Collapse comment: VitalyA added a comment - 20/Aug/2012 4:07 AM

Expand comment: VitalyA added a comment - 20/Aug/2012 4:07 AM

People

Dates