[JRASERVER-68527] The VerifyPopServerConnection resource was vulnerable to SSRF - CVE-2018-13404 - Create and track feature requests for Atlassian products.

Type: Bug
Resolution: Fixed
Priority: Medium (View bug fix roadmap)
Fix Version/s: 7.8.5, 7.7.5, 7.9.3, 7.10.3, 7.11.3, 7.13.1, 7.12.3, 7.6.10, 8.0.0
Affects Version/s: 7.11.0
Component/s: Mail Server
Labels:

Fixed in Long Term Support Release/s:

Download 7.13, 7.6
Introduced in Version:
7.11
Symptom Severity:
Severity 2 - Major
Bug Fix Policy:
View Atlassian Server bug fix policy
Current Status:

Hide

Atlassian Update – 21 December 2018

Dear Jira users,

We’re glad to announce that this issue will be addressed in our upcoming 8.0 release.

You can find more details about our 8.0 beta release here — https://community.developer.atlassian.com/t/beta-for-jira-8-0-is-up-for-grabs/25588

Looking forward to your feedback!

Kind regards,
Syed Masood
Product Manager, Jira Server and Data Center

Show
Atlassian Update – 21 December 2018 Dear Jira users, We’re glad to announce that this issue will be addressed in our upcoming 8.0 release. You can find more details about our 8.0 beta release here — https://community.developer.atlassian.com/t/beta-for-jira-8-0-is-up-for-grabs/25588 Looking forward to your feedback! Kind regards, Syed Masood Product Manager, Jira Server and Data Center

The VerifyPopServerConnection resource in Atlassian Jira before version 7.6.10, from version 7.7.0 before version 7.7.5, from version 7.8.0 before version 7.8.5, from version 7.9.0 before version 7.9.3, from version 7.10.0 before version 7.10.3, from version 7.11.0 before version 7.11.3, from version 7.12.0 before version 7.12.3, and from version 7.13.0 before version 7.13.1 allows remote attackers who have administrator rights to determine the existence of internal hosts & open ports and in some cases obtain service information from internal network resources via a Server Side Request Forgery (SSRF) vulnerability.

Security Metrics Bot added a comment - 03/Dec/2018 2:58 AM

This is an independent assessment and you should evaluate its applicability to your own IT environment.
CVSS v3 score: 4.1 => Medium severity

Exploitability Metrics

Attack Vector	Network
Attack Complexity	Low
Privileges Required	High
User Interaction	None

Scope Metric

Scope	Changed

Impact Metrics

Confidentiality	Low
Integrity	None
Availability	None

https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N

Security Metrics Bot added a comment - 03/Dec/2018 2:58 AM This is an independent assessment and you should evaluate its applicability to your own IT environment. CVSS v3 score: 4.1 => Medium severity Exploitability Metrics Attack Vector Network Attack Complexity Low Privileges Required High User Interaction None Scope Metric Scope Changed Impact Metrics Confidentiality Low Integrity None Availability None https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N

Assignee:: Unassigned

Reporter:: Security Metrics Bot

Affected customers:: 0 This affects my team

Watchers:: 1 Start watching this issue

Created:: 03/Dec/2018 2:58 AM

Updated:: 22/May/2020 8:24 AM

Resolved:: 03/Dec/2018 3:17 AM

Jira Data Center

Details

Description

Attachments

Forms

Activity

[JRASERVER-68527] The VerifyPopServerConnection resource was vulnerable to SSRF - CVE-2018-13404

Collapse comment: Security Metrics Bot added a comment - 03/Dec/2018 2:58 AM

Expand comment: Security Metrics Bot added a comment - 03/Dec/2018 2:58 AM

People

Dates