Uploaded image for project: 'Jira Data Center'
  1. Jira Data Center
  2. JRASERVER-69793

SSRF in the /plugins/servlet/gadgets/makeRequest resource - CVE-2019-8451

XMLWordPrintable

      The /plugins/servlet/gadgets/makeRequest resource in Jira before version 8.4.0 allows remote attackers to access the content of internal network resources via a Server Side Request Forgery (SSRF) vulnerability due to a logic bug in the JiraWhitelist class.

      Important Note: The patch is deployed in fix versions and later by configuring the Jira URL allow list. N.B: The allowlist is enabled by default (without any URL's defined). However the fixed versions will be vulnerable if allowlist is disabled by the administrator.

            [JRASERVER-69793] SSRF in the /plugins/servlet/gadgets/makeRequest resource - CVE-2019-8451

            M Amine added a comment -

            If we are using a reverse-proxy cann't we just block the URI? It is an urgent matter as some client are not able to upgrade asap. 

            M Amine added a comment - If we are using a reverse-proxy cann't we just block the URI? It is an urgent matter as some client are not able to upgrade asap. 

            John Bartelt added a comment -

            I am really amazed that Atlassian has not released a security announcement on their mailing list or on https://www.atlassian.com/trust/security/advisories

            I really hate first hearing about vulnerabilities from my CISO or a bug-bounty hunter.

            John Bartelt added a comment - I am really amazed that Atlassian has not released a security announcement on their mailing list or on https://www.atlassian.com/trust/security/advisories I really hate first hearing about vulnerabilities from my CISO or a bug-bounty hunter.

            Mateusz Walas (Inactive) added a comment -

            Hello everyone

            We have not forgotten about 7.6 and would like to reassure you that the fix will also be included in 7.6.17 which should be available for the public around the end of this month.

            Thank you for your patience.

            Mateusz Walas (Inactive) added a comment - Hello everyone We have not forgotten about 7.6 and would like to reassure you that the fix will also be included in 7.6.17 which should be available for the public around the end of this month. Thank you for your patience.

            Christopher Medalis added a comment -

            7.13.9 will include fixes for these issues that were reported for Jira < 8.4 ?

            Christopher Medalis added a comment - 7.13.9 will include fixes for these issues that were reported for Jira < 8.4 ?

            Tobias Heinemann added a comment -

            Is there any ETA for Jira 7.13.9?

            Tobias Heinemann added a comment - Is there any ETA for Jira 7.13.9?

            Egon S., Swisscom added a comment - - edited

            Hi @Mateusz,

            we upgraded to 8.4.1, and it is still vulnerable...

            Update: actually, the source code includes the fix, there must be another problem at our installation

            Update 2: yep, there was a load balancer issue pointing to an older instance...

            Egon S., Swisscom added a comment - - edited Hi @Mateusz, we upgraded to 8.4.1, and it is still vulnerable... Update: actually, the source code includes the fix, there must be another problem at our installation Update 2: yep, there was a load balancer issue pointing to an older instance...

            Horace Su added a comment - - edited

            Hi @Mateusz,

            When will it be released and on the https://www.atlassian.com/trust/security/advisories ?

            Would it have a workaround? thanks.

            Horace Su added a comment - - edited Hi @Mateusz, When will it be released and on the  https://www.atlassian.com/trust/security/advisories  ? Would it have a workaround? thanks.

            Grab Atlassian added a comment -

            I don't understand why Atlassian is very cold blood for fixing Jira 7.13 

            Grab Atlassian added a comment - I don't understand why Atlassian is very cold blood for fixing Jira 7.13 

            Tucker Perry added a comment -

            Do you have a timeline for releasing this patch?

            Tucker Perry added a comment - Do you have a timeline for releasing this patch?

            Mateusz Walas (Inactive) added a comment -

            Hello everyone.
            Thank you for bringing this bug to our attention again. The company policy is to backport only critical bugs from 8.x to 7.13.x (hence the lack of 7.13 fix version), however seeing an increased interest in this fix we've decided to do our best to have it shipped in the next bugfix release (7.13.9).
            We are not aware of any workaround.

            Mateusz Walas (Inactive) added a comment - Hello everyone. Thank you for bringing this bug to our attention again. The company policy is to backport only critical bugs from 8.x to 7.13.x (hence the lack of 7.13 fix version), however seeing an increased interest in this fix we've decided to do our best to have it shipped in the next bugfix release (7.13.9). We are not aware of any workaround.

              Unassigned Unassigned
              security-metrics-bot Security Metrics Bot
              Affected customers:
              0 This affects my team
              Watchers:
              46 Start watching this issue

                Created:
                Updated:
                Resolved: