Uploaded image for project: 'Jira Data Center'
  1. Jira Data Center
  2. JRASERVER-66642

Server Side Request Forgery(SSRF) in the Jira Trello importer - CVE-2017-16865

      The Trello importer in Atlassian Jira before version 7.6.1 allows remote attackers to access the content of internal network resources via a Server Side Request Forgery (SSRF). When running in an environment like Amazon EC2, this flaw maybe used to access to a metadata resource that provides access credentials and other potentially confidential information.

            [JRASERVER-66642] Server Side Request Forgery(SSRF) in the Jira Trello importer - CVE-2017-16865

            Hello,

            Thank you so much for your comments on this issue. We value your feedback.
            We’re doing further research on the usage of the Jira Import Tool (also known as Jira Importers Plug-in / CSV Import / Trello Import), and we’d like to invite you to take part in an upcoming customer research study.
             
            What’s involved in the research:
            We’ll schedule a 1-hour session at a time that’s convenient for you. The session will be conducted over video-conference, so you can participate from anywhere around the globe.

            • During the research, we'll start with a general chat to get to know you, and then we’d like to hear about how you use the Jira Import Tool for your tasks, and any feedback you have about the tool.
            • As a token of our appreciation, you'll receive an e-gift card worth $100 within 5 days of completing your session.

             
            If you're interested in taking part, please contact me on pvarghese@atlassian.com to schedule a time that works for you.
            If you have any other questions at all, feel free to reply to this message or email me directly on pvarghese@atlassian.com
            We look forward to meeting you!
             
            Cheers,
            Priya Varghese
            (Migrations Experience Design Team)

            Priya Varghese added a comment - Hello, Thank you so much for your comments on this issue. We value your feedback. We’re doing further research on the usage of the Jira Import Tool (also known as Jira Importers Plug-in / CSV Import / Trello Import), and we’d like to invite you to take part in an upcoming customer research study.   What’s involved in the research: We’ll schedule a 1-hour session at a time that’s convenient for you. The session will be conducted over video-conference, so you can participate from anywhere around the globe. During the research, we'll start with a general chat to get to know you, and then we’d like to hear about how you use the Jira Import Tool for your tasks, and any feedback you have about the tool. As a token of our appreciation, you'll receive an e-gift card worth $100 within 5 days of completing your session.   If you're interested in taking part, please contact me on  pvarghese@atlassian.com  to schedule a time that works for you. If you have any other questions at all, feel free to reply to this message or email me directly on  pvarghese@atlassian.com We look forward to meeting you!   Cheers, Priya Varghese (Migrations Experience Design Team)

            There is a similar SSRF vulnerability with Jira v7.5.2 in the Jira GitHub Issue Importer.  Many of these non-essential add-ons should be disabled by default.

            Steve Bachinsky added a comment - There is a similar SSRF vulnerability with Jira v7.5.2 in the Jira GitHub Issue Importer.  Many of these non-essential add-ons should be disabled by default.

            This is an independent assessment and you should evaluate its applicability to your own IT environment.
            CVSS v3 score: 4.1 => Medium severity

            Exploitability Metrics

            Attack Vector Network
            Attack Complexity Low
            Privileges Required High
            User Interaction None

            Scope Metric

            Scope Changed

            Impact Metrics

            Confidentiality Low
            Integrity None
            Availability None

            https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N

            Security Metrics Bot added a comment - This is an independent assessment and you should evaluate its applicability to your own IT environment. CVSS v3 score: 4.1 => Medium severity Exploitability Metrics Attack Vector Network Attack Complexity Low Privileges Required High User Interaction None Scope Metric Scope Changed Impact Metrics Confidentiality Low Integrity None Availability None https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N

              Unassigned Unassigned
              security-metrics-bot Security Metrics Bot
              Affected customers:
              0 This affects my team
              Watchers:
              4 Start watching this issue

                Created:
                Updated:
                Resolved: