[JRASERVER-22493] Patches for XSS / XSRF vulnerabilities

Type: Bug
Resolution: Deployed
Priority: Highest (View bug fix roadmap)
Fix Version/s: 4.2.1, Bugfix Release
Affects Version/s: 3.13.5, 4.0.2, 4.1.2, 4.2
Component/s: None
Labels:
- affects-server
- security

Introduced in Version:
3.13
Bug Fix Policy:
View Atlassian Server bug fix policy

We have identified and fixed vulnerabilities in JIRA 4.2 which will allow an attacker to invoke XSS (Cross Site Scripting) attacks and/or Cross Site Request Forgery (XSRF) attacks. Full details of the severity, risks and vulnerabilities can be found in the JIRA Security Advisory 2010-11-06.

The patches below should be applied. Please note that all Studio instances are not vulnerable at the time of this disclosure.

Note these patches are cumulative and include the fixes that were applied in ~~JRA-21004~~,

Patches

Version	File
3.13.5	patch-JRA-22493-3.13.5.zip
4.0.2	patch-JRA-22493-4.0.2.zip
4.1.2	patch-JRA-22493-4.1.2.zip
4.2	patch-JRA22493-4.2.zip

was cloned as

JRASERVER-22545 Source Patches for XSS/XSRF vulnerabilities

Closed

Bugfix Automation Bot made changes - 27/Mar/2019 11:59 PM

Minimum Version

New: 3.13

Owen made changes - 16/Oct/2018 12:57 AM

Workflow	Original: JAC Bug Workflow v2 [ 2842463 ]	New: JAC Bug Workflow v3 [ 2927128 ]
Status	Original: Resolved [ 5 ]	New: Closed [ 6 ]

Owen made changes - 25/Sep/2018 12:37 AM

Workflow

Original: JIRA Bug Workflow w Kanban v7 - Restricted [ 2576606 ]

New: JAC Bug Workflow v2 [ 2842463 ]

Ignat (Inactive) made changes - 01/Feb/2018 2:20 PM

Workflow

Original: JIRA Bug Workflow w Kanban v6 - Restricted [ 1540467 ]

New: JIRA Bug Workflow w Kanban v7 - Restricted [ 2576606 ]

Confluence Escalation Bot (Inactive) made changes - 17/Feb/2017 6:18 AM

Labels

Original: security

New: affects-server security

Oswaldo Hernandez (Inactive) made changes - 14/Jul/2016 8:17 AM

Component/s	Original: Security [Deprecated] [ 11831 ]
Labels		New: security

Owen made changes - 07/Jul/2016 6:56 AM

Workflow

Original: JIRA Bug Workflow w Kanban v6 [ 679391 ]

New: JIRA Bug Workflow w Kanban v6 - Restricted [ 1540467 ]

Oswaldo Hernandez (Inactive) made changes - 10/Apr/2014 12:54 AM

Workflow

Original: JIRA Bug Workflow w Kanban v5 [ 661737 ]

New: JIRA Bug Workflow w Kanban v6 [ 679391 ]

Oswaldo Hernandez (Inactive) made changes - 09/Apr/2014 8:28 AM

Workflow

Original: JIRA Bug Workflow w Kanban v5 [ 260561 ]

New: JIRA Bug Workflow w Kanban v6 [ 661737 ]

robk added a comment - 14/Dec/2010 4:51 AM

Running an unzip across my Jira instances is both clunky and breaks the rpm I build to deploy and manage my Jira install. I can probably wangle a %patch in the specfile, but surely it would have been just as easy to roll an updated tar.gz of the Jira standalone install bundle? This kind f ad-hoc patching is not what I'd expect of Atlassian.

robk added a comment - 14/Dec/2010 4:51 AM Running an unzip across my Jira instances is both clunky and breaks the rpm I build to deploy and manage my Jira install. I can probably wangle a %patch in the specfile, but surely it would have been just as easy to roll an updated tar.gz of the Jira standalone install bundle? This kind f ad-hoc patching is not what I'd expect of Atlassian.

Assignee:: Peter Leschev

Reporter:: tier-0 grump

Affected customers:: 0 This affects my team

Watchers:: 14 Start watching this issue

Created:: 12/Oct/2010 1:07 AM

Updated:: 27/Mar/2019 11:59 PM

Resolved:: 12/Dec/2010 7:35 PM

Details

Description

Patches

Attachments

Issue Links

Forms

Activity

Collapse comment: robk added a comment - 14/Dec/2010 4:51 AM

Expand comment: robk added a comment - 14/Dec/2010 4:51 AM

People

Dates