Uploaded image for project: 'Jira Data Center'
  1. Jira Data Center
  2. JRASERVER-20994

XSS Vulnerabilities in JIRA

    XMLWordPrintable

Details

    • Bug
    • Resolution: Fixed
    • Highest
    • 4.1.1, 4.2
    • 3.12, 3.12.1, 3.12.2, 3.12.3, 3.13, 3.13.1, 3.13.2, 3.13.3, 3.13.4, 3.13.5, 4.0, 4.0.1, 4.0.2, 4.1
    • None

    Description

      Warning: This issue is superceded by JRA-21004. Please install the patches on that issue, rather than this one.

      For more details, see JIRA Security Advisory - 2010-04-16.

      The security advisory also has details of how to determine if your JIRA installation has been compromised and another addendum on good system administration practices to protect your public JIRA installation. These additions are valuable even if you cannot apply the patch immediately.

      If you have already installed this patch, install JRA-21004 on top of this patch.

      We have identified vulnerabilities in JIRA which will allow an attacker to invoke XSS (Cross Site Scripting) attacks in JIRA. Some attacks possible with these vulnerabilities include:

      • An attacker might take advantage of the vulnerability to steal other users' session cookies or other credentials, by sending the credentials back to the attacker's own web server.
      • An attacker's text and script might be displayed to other people viewing the JIRA page.

      You can read more about XSS attacks at cgisecurity, CERT and other places on the web.

      We recommend that you apply the attached patch immediately to address these vulnerabilities.
      The Instructions to apply the patch is contained within the Readme file as part of the attached zip. Please download the appropriate patch for your version of JIRA (these patches have only been tested on the point releases specified in the zip filename). If you are not on the point release that the patch is created for, it is recommended that you first upgrade to the latest point release for your version of JIRA before applying the patch.

      Alternatively, if you are not in a position to undertake this immediately and you judge it necessary, you could disable public access to JIRA (for example, by removing appropriate global or project-specific 'Anyone' permissions) and change JIRA's mode to disable public signup) until you have either applied the necessary patches. For even tighter control, you could restrict access to trusted groups.

      If you are applying this patch, we also recommend you apply the patch for JRA-20995.

      Attachments

        1. patch-JRA-20994-3_12_3.zip
          18 kB
        2. patch-JRA-20994-3_13_4.zip
          18 kB
        3. patch-JRA-20994-3_13_5.zip
          19 kB
        4. patch-JRA-20994-4_0_2.zip
          21 kB
        5. patch-JRA-20994-4_1.zip
          24 kB

        Issue Links

          details

          Bug - A problem which impairs or prevents the functions of the product. JRASERVER-21082 Quality Review for 4.1.2

          • Medium - Medium priority issues
          • Closed

          Bug - A problem which impairs or prevents the functions of the product. JRASERVER-21083 Quality Review for 4.2

          • Medium - Medium priority issues
          • Closed
          is superseded by

          Bug - A problem which impairs or prevents the functions of the product. JRASERVER-21004 XSS and Privilege Escalation Vulnerabilities in JIRA

          • Highest - Our top priority issues
          • Closed
          relates to

          Bug - A problem which impairs or prevents the functions of the product. JRASERVER-20995 Privilege escalation vulnerability when administrator access is compromised

          • Highest - Our top priority issues
          • Closed

          Activity

            People

              Unassigned Unassigned
              edwin@atlassian.com edwin
              Votes:
              3 Vote for this issue
              Watchers:
              24 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: