[JRASERVER-66748] The bundled Atlassian Universal Plugin Manager plugin had a XSS issue - CVE-2018-5229 - Create and track feature requests for Atlassian products.

Type: Bug
Resolution: Fixed
Priority: High (View bug fix roadmap)
Fix Version/s: 7.10.0, 7.9.2, 7.7.4, 7.8.4, 7.6.7
Affects Version/s: 7.6.0, 7.7.0, 7.8.0, 7.9.0
Component/s: UPM (Universal Plugin Manager)
Labels:

Fixed in Long Term Support Release/s:

Download 7.6
Introduced in Version:
7.06
Symptom Severity:
Severity 2 - Major
Bug Fix Policy:
View Atlassian Server bug fix policy

The version of the bundled Atlassian Universal Plugin Manager plugin had a cross site scripting vulnerability (XSS). See https://ecosystem.atlassian.net/browse/UPM-5871 for more details.

is related to

BAM-19786 The bundled Atlassian Universal Plugin Manager plugin had a XSS issue - CVE-2018-5229

Closed

CONFSERVER-55237 The bundled Atlassian Universal Plugin Manager plugin had a XSS issue - CVE-2018-5229

Closed

UPM-5871 XSS through user requested add-on names - CVE-2018-5229

Done

was cloned as

BSERV-10606 The bundled Atlassian Universal Plugin Manager plugin had a XSS issue - CVE-2018-5229

Closed

mentioned in: Page Failed to load

relates to: UPM-5806 Loading...; RAID-900 Loading...

(2 relates to)

David Black added a comment - 18/Apr/2018 7:59 AM - edited

This is an independent assessment and you should evaluate its applicability to your own IT environment.
CVSS v3 score: 8.0 => High severity

Exploitability Metrics

Attack Vector	Network
Attack Complexity	Low
Privileges Required	Low
User Interaction	Required

Scope Metric

Scope	Unchanged

Impact Metrics

Confidentiality	High
Integrity	High
Availability	High

https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

David Black added a comment - 18/Apr/2018 7:59 AM - edited This is an independent assessment and you should evaluate its applicability to your own IT environment. CVSS v3 score: 8.0 => High severity Exploitability Metrics Attack Vector Network Attack Complexity Low Privileges Required Low User Interaction Required Scope Metric Scope Unchanged Impact Metrics Confidentiality High Integrity High Availability High https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

Assignee:: Ignat (Inactive)

Reporter:: David Black

Affected customers:: 0 This affects my team

Watchers:: 2 Start watching this issue

Created:: 07/Feb/2018 10:17 PM

Updated:: 01/Jun/2023 9:08 AM

Resolved:: 09/May/2018 11:18 AM

Jira Data Center

Details

Description

Attachments

Issue Links

Forms

Activity

[JRASERVER-66748] The bundled Atlassian Universal Plugin Manager plugin had a XSS issue - CVE-2018-5229

Collapse comment: David Black added a comment - 18/Apr/2018 7:59 AM, Edited by David Black - 23/Jul/2018 6:50 AM

Expand comment: David Black added a comment - 18/Apr/2018 7:59 AM, Edited by David Black - 23/Jul/2018 6:50 AM

People

Dates