Uploaded image for project: 'Jira Data Center'
  1. Jira Data Center
  2. JRASERVER-29403

Privilege escalation vulnerability

XMLWordPrintable

      NOTE: This bug report is for JIRA Server. Using JIRA Cloud? See the corresponding bug report.

      We have identified and fixed a privilege escalation vulnerabilities that affect JIRA instances, including publicly available instances (that is, Internet-facing servers). This vulnerability allows an attacker to bypass authentication and authorisation controls by hitting specially crafted URLs. The attacker does not need to have an account on the affected JIRA server. The attacker will be able to execute a large number of administrative actions.

      This vulnerability has been fixed in JIRA 5.0.7 and later. Patches are available for JIRA 4.3.4, 4.4.5 and 5.0.6.

      Full details are available in the advisory at https://confluence.atlassian.com/display/JIRA/JIRA+Security+Advisory+2012-08-28

      Note: the patch instructions files refer to JRA-29138, please ignore this, they are indeed the correct instructions.
      Note 2: If you encounter error messages after applying the patch, see if this KB article applies

        1. JRA-29403-4.3.4-patch.md5
          0.1 kB
        2. JRA-29403-4.3.4-patch.zip
          393 kB
        3. JRA-29403-4.3.4-patch-instructions.txt
          5 kB
        4. JRA-29403-4.4.5-patch.md5
          0.1 kB
        5. JRA-29403-4.4.5-patch.zip
          396 kB
        6. JRA-29403-4.4.5-patch-instructions.txt
          5 kB
        7. JRA-29403-5.0.6-patch.md5
          0.1 kB
        8. JRA-29403-5.0.6-patch.zip
          398 kB
        9. JRA-29403-5.0.6-patch-instructions.txt
          5 kB

              vosipov VitalyA
              vosipov VitalyA
              Votes:
              0 Vote for this issue
              Watchers:
              12 Start watching this issue

                Created:
                Updated:
                Resolved: