[JRASERVER-21004] XSS and Privilege Escalation Vulnerabilities in JIRA

Type: Bug
Resolution: Fixed
Priority: Highest (View bug fix roadmap)
Fix Version/s: 4.1.1
Affects Version/s: None
Component/s: Infrastructure & Services - Application Lifecycle
Labels:
- security
- xss

Bug Fix Policy:
View Atlassian Server bug fix policy

We have identified and fixed vulnerabilities in JIRA which will allow an attacker to invoke XSS (Cross Site Scripting) attacks and/or obtain escalated account privileges potentially gaining access to the file system. Full details of the severity, risks and vulnerabilities can be found in the JIRA Security Advisory 2010-04-16.

This patch supercedes both ~~JRA-20994~~ and ~~JRA-20995~~ with additional fixes and protection for your JIRA instance.

We strongly recommend that all customers apply the attached patch immediately to address these vulnerabilities, even if you have already applied ~~JRA-20994~~ and ~~JRA-20995~~.

Before applying the patch, please refer to the following documents, in this order:

Patches

Version	File
4.1	patch-JRA-21004-4.1.zip
4.0.2	patch-JRA-21004-4.0.2.zip
4.0.1	patch-JRA-21004-4.0.1.zip
4.0	patch-JRA-21004-4.0.zip
3.13.5	patch-JRA-21004-3.13.5.zip
3.13.4	patch-JRA-21004-3.13.4.zip
3.13.3	patch-JRA-21004-3.13.3.zip
3.13.2	patch-JRA-21004-3.13.2.zip
3.13.1	patch-JRA-21004-3.13.1.zip
3.13	patch-JRA-21004-3.13.zip
3.12.3	patch-JRA-21004-3.12.3.zip
3.12.2	patch-JRA-21004-3.12.2.zip
3.12.1	patch-JRA-21004-3.12.1.zip
3.12	patch-JRA-21004-3.12.zip

- - Sort By Name
  - Sort By Date
  - Ascending
  - Descending
  - Thumbnails
  - List

SysInfoPatch.png
23/Apr/2010 1:36 AM
22 kB
Bogdan Dziedzic [Atlassian]

details

JRASERVER-21084 Quality Review for 4.1.2

Closed

JRASERVER-21085 Quality Review for 4.2

Closed

has a regression in

JRASERVER-21063 Linked issues display incorrectly after applying security patch JRA-21004

Closed

supersedes

JRASERVER-20994 XSS Vulnerabilities in JIRA

Closed

JRASERVER-20995 Privilege escalation vulnerability when administrator access is compromised

Closed

set-jac-bot made changes - 12/Sep/2019 6:35 AM

Link

New: This issue details ~~JRASERVER-21084~~ [ ~~JRASERVER-21084~~ ]

set-jac-bot made changes - 12/Sep/2019 6:35 AM

Link

New: This issue details ~~JRASERVER-21085~~ [ ~~JRASERVER-21085~~ ]

Owen made changes - 16/Oct/2018 12:57 AM

Workflow	Original: JAC Bug Workflow v2 [ 2843448 ]	New: JAC Bug Workflow v3 [ 2927402 ]
Status	Original: Resolved [ 5 ]	New: Closed [ 6 ]

Owen made changes - 25/Sep/2018 12:38 AM

Workflow

Original: JIRA Bug Workflow w Kanban v7 - Restricted [ 2578917 ]

New: JAC Bug Workflow v2 [ 2843448 ]

Ignat (Inactive) made changes - 01/Feb/2018 2:23 PM

Workflow

Original: JIRA Bug Workflow w Kanban v6 - Restricted [ 1542468 ]

New: JIRA Bug Workflow w Kanban v7 - Restricted [ 2578917 ]

Oswaldo Hernandez (Inactive) made changes - 14/Jul/2016 7:23 AM

Component/s

New: Infrastructure & Services - Application Lifecycle [ 43324 ]

Oswaldo Hernandez (Inactive) made changes - 14/Jul/2016 7:23 AM

Labels

Original: xss

New: security xss

Oswaldo Hernandez (Inactive) made changes - 14/Jul/2016 7:23 AM

Component/s

Original: Security [Deprecated] [ 11831 ]

Owen made changes - 07/Jul/2016 6:57 AM

Workflow

Original: JIRA Bug Workflow w Kanban v6 [ 680014 ]

New: JIRA Bug Workflow w Kanban v6 - Restricted [ 1542468 ]

Oswaldo Hernandez (Inactive) made changes - 10/Apr/2014 12:54 AM

Workflow

Original: JIRA Bug Workflow w Kanban v5 [ 663180 ]

New: JIRA Bug Workflow w Kanban v6 [ 680014 ]

Assignee:: Unassigned

Reporter:: ɹǝʞɐq pɐɹq

Affected customers:: 0 This affects my team

Watchers:: 21 Start watching this issue

Created:: 14/Apr/2010 3:44 AM

Updated:: 15/Jan/2024 10:07 AM

Resolved:: 21/Apr/2010 2:36 AM

Details

Description

Attachments

Attachments

Issue Links

Forms

Activity

People

Dates