NOTE: This bug report is for JIRA Cloud. Using JIRA Server? See the corresponding bug report.

      We have identified and fixed a privilege escalation vulnerabilities that affect JIRA instances, including publicly available instances (that is, Internet-facing servers). This vulnerability allows an attacker to bypass authentication and authorisation controls by hitting specially crafted URLs. The attacker does not need to have an account on the affected JIRA server. The attacker will be able to execute a large number of administrative actions.

      This vulnerability has been fixed in JIRA 5.0.7 and later. Patches are available for JIRA 4.3.4, 4.4.5 and 5.0.6.

      Full details are available in the advisory at https://confluence.atlassian.com/display/JIRA/JIRA+Security+Advisory+2012-08-28

      Note: the patch instructions files refer to JRA-29138, please ignore this, they are indeed the correct instructions.
      Note 2: If you encounter error messages after applying the patch, see if this KB article applies

        1. JRA-29403-4.3.4-patch.md5
          0.1 kB
        2. JRA-29403-4.3.4-patch.zip
          393 kB
        3. JRA-29403-4.3.4-patch-instructions.txt
          5 kB
        4. JRA-29403-4.4.5-patch.md5
          0.1 kB
        5. JRA-29403-4.4.5-patch.zip
          396 kB
        6. JRA-29403-4.4.5-patch-instructions.txt
          5 kB
        7. JRA-29403-5.0.6-patch.md5
          0.1 kB
        8. JRA-29403-5.0.6-patch.zip
          398 kB
        9. JRA-29403-5.0.6-patch-instructions.txt
          5 kB

            [JRACLOUD-29403] Privilege escalation vulnerability

            Is a patch for 3.13.5 expected?

            Rodrigo Borghette Schmidt added a comment - Is a patch for 3.13.5 expected?

            Could i heave a example of the Bug becouse we got an old version of JIRA and we heave to trye to secure our Instance until we can Upgrade. But i need to reproduce the Bug first to see how i can prevent the bad URL to be used.

            Sven Wunsch added a comment - Could i heave a example of the Bug becouse we got an old version of JIRA and we heave to trye to secure our Instance until we can Upgrade. But i need to reproduce the Bug first to see how i can prevent the bad URL to be used.

            VitalyA added a comment - - edited

            To apply the patch for 4.4.5, is it required to update JIRA to 4.4.5 first?

            This is correct. Please raise a support request if you need help with upgrading.

            VitalyA added a comment - - edited To apply the patch for 4.4.5, is it required to update JIRA to 4.4.5 first? This is correct. Please raise a support request if you need help with upgrading.

            VitalyA added a comment -

            All versions earlier than 5.0.7 are affected.

            VitalyA added a comment - All versions earlier than 5.0.7 are affected.

            Is Jira 4.1.2 affected?

            Ohnuki Hiroshi added a comment - Is Jira 4.1.2 affected?

            To apply the patch for 4.4.5, is it required to update JIRA to 4.4.5 first? We are currently on 4.4.3. Thanks for the notification.

            Russ Frizzell added a comment - To apply the patch for 4.4.5, is it required to update JIRA to 4.4.5 first? We are currently on 4.4.3. Thanks for the notification.

            Is jira 4.0.2 affected?

            Bettina Zucker added a comment - Is jira 4.0.2 affected?

            Is Jira 3.13.5 affected?

            Lars Raeder added a comment - Is Jira 3.13.5 affected?

            VitalyA added a comment -

            Patches for JIRA 4.3.4, 4.4.5, 5.0.6, and instructions on how to apply them are attached to this issue.

            VitalyA added a comment - Patches for JIRA 4.3.4, 4.4.5, 5.0.6, and instructions on how to apply them are attached to this issue.

              vosipov VitalyA
              vosipov VitalyA
              Affected customers:
              0 This affects my team
              Watchers:
              12 Start watching this issue

                Created:
                Updated:
                Resolved: