[JRASERVER-66642] Server Side Request Forgery(SSRF) in the Jira Trello importer - CVE-2017-16865 - Create and track feature requests for Atlassian products.

Type: Bug
Resolution: Fixed
Priority: Medium (View bug fix roadmap)
Fix Version/s: 7.6.1, 7.7.0
Affects Version/s: 7.4.2
Component/s: Jira Importers Plugin
Labels:
- CVE-2017-16865
- advisory
- advisory-released
- bugbounty
- cvss-medium
- raid
- security
- ssrf

Fixed in Long Term Support Release/s:

Download 7.6
Introduced in Version:
7.04
Symptom Severity:
Severity 2 - Major
Bug Fix Policy:
View Atlassian Server bug fix policy

The Trello importer in Atlassian Jira before version 7.6.1 allows remote attackers to access the content of internal network resources via a Server Side Request Forgery (SSRF). When running in an environment like Amazon EC2, this flaw maybe used to access to a metadata resource that provides access credentials and other potentially confidential information.

Priya Varghese added a comment - 21/Mar/2022 5:12 AM

Hello,

Thank you so much for your comments on this issue. We value your feedback.
We’re doing further research on the usage of the Jira Import Tool (also known as Jira Importers Plug-in / CSV Import / Trello Import), and we’d like to invite you to take part in an upcoming customer research study.

What’s involved in the research:
We’ll schedule a 1-hour session at a time that’s convenient for you. The session will be conducted over video-conference, so you can participate from anywhere around the globe.

During the research, we'll start with a general chat to get to know you, and then we’d like to hear about how you use the Jira Import Tool for your tasks, and any feedback you have about the tool.
As a token of our appreciation, you'll receive an e-gift card worth $100 within 5 days of completing your session.

If you're interested in taking part, please contact me on pvarghese@atlassian.com to schedule a time that works for you.
If you have any other questions at all, feel free to reply to this message or email me directly on pvarghese@atlassian.com
We look forward to meeting you!

Cheers,
Priya Varghese
(Migrations Experience Design Team)

Priya Varghese added a comment - 21/Mar/2022 5:12 AM Hello, Thank you so much for your comments on this issue. We value your feedback. We’re doing further research on the usage of the Jira Import Tool (also known as Jira Importers Plug-in / CSV Import / Trello Import), and we’d like to invite you to take part in an upcoming customer research study. What’s involved in the research: We’ll schedule a 1-hour session at a time that’s convenient for you. The session will be conducted over video-conference, so you can participate from anywhere around the globe. During the research, we'll start with a general chat to get to know you, and then we’d like to hear about how you use the Jira Import Tool for your tasks, and any feedback you have about the tool. As a token of our appreciation, you'll receive an e-gift card worth $100 within 5 days of completing your session. If you're interested in taking part, please contact me on pvarghese@atlassian.com to schedule a time that works for you. If you have any other questions at all, feel free to reply to this message or email me directly on pvarghese@atlassian.com We look forward to meeting you! Cheers, Priya Varghese (Migrations Experience Design Team)

Steve Bachinsky added a comment - 30/May/2018 6:13 PM

There is a similar SSRF vulnerability with Jira v7.5.2 in the Jira GitHub Issue Importer. Many of these non-essential add-ons should be disabled by default.

Steve Bachinsky added a comment - 30/May/2018 6:13 PM There is a similar SSRF vulnerability with Jira v7.5.2 in the Jira GitHub Issue Importer. Many of these non-essential add-ons should be disabled by default.

Security Metrics Bot added a comment - 17/Jan/2018 2:15 AM

This is an independent assessment and you should evaluate its applicability to your own IT environment.
CVSS v3 score: 4.1 => Medium severity

Exploitability Metrics

Attack Vector	Network
Attack Complexity	Low
Privileges Required	High
User Interaction	None

Scope Metric

Scope	Changed

Impact Metrics

Confidentiality	Low
Integrity	None
Availability	None

https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N

Security Metrics Bot added a comment - 17/Jan/2018 2:15 AM This is an independent assessment and you should evaluate its applicability to your own IT environment. CVSS v3 score: 4.1 => Medium severity Exploitability Metrics Attack Vector Network Attack Complexity Low Privileges Required High User Interaction None Scope Metric Scope Changed Impact Metrics Confidentiality Low Integrity None Availability None https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N

Jira Data Center

Details

Description

Attachments

Forms

Activity

[JRASERVER-66642] Server Side Request Forgery(SSRF) in the Jira Trello importer - CVE-2017-16865

Collapse comment: Priya Varghese added a comment - 21/Mar/2022 5:12 AM

Expand comment: Priya Varghese added a comment - 21/Mar/2022 5:12 AM

Collapse comment: Steve Bachinsky added a comment - 30/May/2018 6:13 PM

Expand comment: Steve Bachinsky added a comment - 30/May/2018 6:13 PM

Collapse comment: Security Metrics Bot added a comment - 17/Jan/2018 2:15 AM

Expand comment: Security Metrics Bot added a comment - 17/Jan/2018 2:15 AM

People

Dates