• Type: Bug
• Resolution: Fixed
• Priority: Low (View bug fix roadmap)
• Fix Version/s: 8.4.0, 7.6.17, 7.13.9
• Affects Version/s: 7.6.9, 8.1.0, 8.0.2
• Component/s: Dashboard & Gadgets
• Labels:

  • CVE-2019-8451
  • advisory
  • advisory-released
  • cvss-high
  • li_upgrade
  • security
  • ssrf

[JRASERVER-69793] SSRF in the /plugins/servlet/gadgets/makeRequest resource - CVE-2019-8451

Collapse comment: M Amine added a comment - 30/Apr/2020 10:47 AM

M Amine added a comment - 30/Apr/2020 10:47 AM

If we are using a reverse-proxy cann't we just block the URI? It is an urgent matter as some client are not able to upgrade asap. 

Expand comment: M Amine added a comment - 30/Apr/2020 10:47 AM

M Amine added a comment - 30/Apr/2020 10:47 AM If we are using a reverse-proxy cann't we just block the URI? It is an urgent matter as some client are not able to upgrade asap. 

Collapse comment: John Bartelt added a comment - 05/Nov/2019 9:55 PM

John Bartelt added a comment - 05/Nov/2019 9:55 PM

I am really amazed that Atlassian has not released a security announcement on their mailing list or on https://www.atlassian.com/trust/security/advisories

I really hate first hearing about vulnerabilities from my CISO or a bug-bounty hunter.

Expand comment: John Bartelt added a comment - 05/Nov/2019 9:55 PM

John Bartelt added a comment - 05/Nov/2019 9:55 PM I am really amazed that Atlassian has not released a security announcement on their mailing list or on https://www.atlassian.com/trust/security/advisories I really hate first hearing about vulnerabilities from my CISO or a bug-bounty hunter.

Collapse comment: Mateusz Walas (Inactive) added a comment - 17/Oct/2019 8:51 AM

Mateusz Walas (Inactive) added a comment - 17/Oct/2019 8:51 AM

Hello everyone

We have not forgotten about 7.6 and would like to reassure you that the fix will also be included in 7.6.17 which should be available for the public around the end of this month.

Thank you for your patience.

Expand comment: Mateusz Walas (Inactive) added a comment - 17/Oct/2019 8:51 AM

Mateusz Walas (Inactive) added a comment - 17/Oct/2019 8:51 AM Hello everyone We have not forgotten about 7.6 and would like to reassure you that the fix will also be included in 7.6.17 which should be available for the public around the end of this month. Thank you for your patience.

Collapse comment: Christopher Medalis added a comment - 10/Oct/2019 2:50 PM

Christopher Medalis added a comment - 10/Oct/2019 2:50 PM

7.13.9 will include fixes for these issues that were reported for Jira < 8.4 ?

Expand comment: Christopher Medalis added a comment - 10/Oct/2019 2:50 PM

Christopher Medalis added a comment - 10/Oct/2019 2:50 PM 7.13.9 will include fixes for these issues that were reported for Jira < 8.4 ?

Collapse comment: Tobias Heinemann added a comment - 08/Oct/2019 11:19 AM

Tobias Heinemann added a comment - 08/Oct/2019 11:19 AM

Is there any ETA for Jira 7.13.9?

Expand comment: Tobias Heinemann added a comment - 08/Oct/2019 11:19 AM

Tobias Heinemann added a comment - 08/Oct/2019 11:19 AM Is there any ETA for Jira 7.13.9?

Collapse comment: Egon S., Swisscom added a comment - 08/Oct/2019 10:47 AM, Edited by Egon S., Swisscom - 10/Oct/2019 3:09 PM

Egon S., Swisscom added a comment - 08/Oct/2019 10:47 AM - edited

Hi @Mateusz,

we upgraded to 8.4.1, and it is still vulnerable...

Update: actually, the source code includes the fix, there must be another problem at our installation

Update 2: yep, there was a load balancer issue pointing to an older instance...

Expand comment: Egon S., Swisscom added a comment - 08/Oct/2019 10:47 AM, Edited by Egon S., Swisscom - 10/Oct/2019 3:09 PM

Egon S., Swisscom added a comment - 08/Oct/2019 10:47 AM - edited Hi @Mateusz, we upgraded to 8.4.1, and it is still vulnerable... Update: actually, the source code includes the fix, there must be another problem at our installation Update 2: yep, there was a load balancer issue pointing to an older instance...

Collapse comment: Horace Su added a comment - 07/Oct/2019 1:39 AM, Edited by Horace Su - 07/Oct/2019 1:43 AM

Horace Su added a comment - 07/Oct/2019 1:39 AM - edited

Hi @Mateusz,

When will it be released and on the https://www.atlassian.com/trust/security/advisories ?

Would it have a workaround? thanks.

Expand comment: Horace Su added a comment - 07/Oct/2019 1:39 AM, Edited by Horace Su - 07/Oct/2019 1:43 AM

Horace Su added a comment - 07/Oct/2019 1:39 AM - edited Hi @Mateusz, When will it be released and on the  https://www.atlassian.com/trust/security/advisories  ? Would it have a workaround? thanks.

Collapse comment: Grab Atlassian added a comment - 01/Oct/2019 6:35 AM

Grab Atlassian added a comment - 01/Oct/2019 6:35 AM

I don't understand why Atlassian is very cold blood for fixing Jira 7.13 

Expand comment: Grab Atlassian added a comment - 01/Oct/2019 6:35 AM

Grab Atlassian added a comment - 01/Oct/2019 6:35 AM I don't understand why Atlassian is very cold blood for fixing Jira 7.13 

Collapse comment: Tucker Perry added a comment - 30/Sep/2019 5:04 PM

Tucker Perry added a comment - 30/Sep/2019 5:04 PM

Do you have a timeline for releasing this patch?

Expand comment: Tucker Perry added a comment - 30/Sep/2019 5:04 PM

Tucker Perry added a comment - 30/Sep/2019 5:04 PM Do you have a timeline for releasing this patch?

Collapse comment: Mateusz Walas (Inactive) added a comment - 26/Sep/2019 9:21 AM

Mateusz Walas (Inactive) added a comment - 26/Sep/2019 9:21 AM

Hello everyone.
Thank you for bringing this bug to our attention again. The company policy is to backport only critical bugs from 8.x to 7.13.x (hence the lack of 7.13 fix version), however seeing an increased interest in this fix we've decided to do our best to have it shipped in the next bugfix release (7.13.9).
We are not aware of any workaround.

Expand comment: Mateusz Walas (Inactive) added a comment - 26/Sep/2019 9:21 AM

Mateusz Walas (Inactive) added a comment - 26/Sep/2019 9:21 AM Hello everyone. Thank you for bringing this bug to our attention again. The company policy is to backport only critical bugs from 8.x to 7.13.x (hence the lack of 7.13 fix version), however seeing an increased interest in this fix we've decided to do our best to have it shipped in the next bugfix release (7.13.9). We are not aware of any workaround.

Collapse comment: Christofer Sundström added a comment - 25/Sep/2019 11:20 AM, Edited by Christofer Sundström - 25/Sep/2019 11:20 AM

Christofer Sundström added a comment - 25/Sep/2019 11:20 AM - edited

We need an enterprise release fix for this issue 

Expand comment: Christofer Sundström added a comment - 25/Sep/2019 11:20 AM, Edited by Christofer Sundström - 25/Sep/2019 11:20 AM

Christofer Sundström added a comment - 25/Sep/2019 11:20 AM - edited We need an enterprise release fix for this issue 

Collapse comment: Daniel Törnqvist added a comment - 25/Sep/2019 6:39 AM

Daniel Törnqvist added a comment - 25/Sep/2019 6:39 AM

+1 on the where's the enterprise release patch?

Expand comment: Daniel Törnqvist added a comment - 25/Sep/2019 6:39 AM

Daniel Törnqvist added a comment - 25/Sep/2019 6:39 AM +1 on the where's the enterprise release patch?

Collapse comment: ClaireYang added a comment - 25/Sep/2019 2:43 AM

ClaireYang added a comment - 25/Sep/2019 2:43 AM

@Jason Smith, will this bug be fixed in version 7.13?

Expand comment: ClaireYang added a comment - 25/Sep/2019 2:43 AM

ClaireYang added a comment - 25/Sep/2019 2:43 AM @Jason Smith, will this bug be fixed in version 7.13?

Collapse comment: vihar garlapati added a comment - 24/Sep/2019 3:32 PM

vihar garlapati added a comment - 24/Sep/2019 3:32 PM

@Jason Smith, once you have more inofrmation, could you please suggest the temporary workaround ?

Expand comment: vihar garlapati added a comment - 24/Sep/2019 3:32 PM

vihar garlapati added a comment - 24/Sep/2019 3:32 PM @Jason Smith, once you have more inofrmation, could you please suggest the temporary workaround ?

Collapse comment: Jason D Smith added a comment - 23/Sep/2019 4:52 PM

Jason D Smith added a comment - 23/Sep/2019 4:52 PM

My security team is asking about this and I am also looking for an enterprise release patch for this.

Expand comment: Jason D Smith added a comment - 23/Sep/2019 4:52 PM

Jason D Smith added a comment - 23/Sep/2019 4:52 PM My security team is asking about this and I am also looking for an enterprise release patch for this.

Collapse comment: Jeff Blaine added a comment - 11/Sep/2019 8:54 PM

Jeff Blaine added a comment - 11/Sep/2019 8:54 PM

If this affects version Jira before 8.4.0 as indicated here, shouldn't there be a 7.13 enterprise release listed in the "Fix versions"?

Expand comment: Jeff Blaine added a comment - 11/Sep/2019 8:54 PM

Jeff Blaine added a comment - 11/Sep/2019 8:54 PM If this affects version Jira before 8.4.0 as indicated here, shouldn't there be a 7.13 enterprise release listed in the "Fix versions"?

Collapse comment: Security Metrics Bot added a comment - 12/Aug/2019 2:44 AM

Security Metrics Bot added a comment - 12/Aug/2019 2:44 AM

This is an independent assessment and you should evaluate its applicability to your own IT environment.
CVSS v3 score: 7.2 => High severity

Exploitability Metrics

Attack Vector	Network
Attack Complexity	Low
Privileges Required	None
User Interaction	None

Scope Metric

Scope	Changed

Impact Metrics

Confidentiality	Low
Integrity	Low
Availability	None

https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

Expand comment: Security Metrics Bot added a comment - 12/Aug/2019 2:44 AM

Security Metrics Bot added a comment - 12/Aug/2019 2:44 AM This is an independent assessment and you should evaluate its applicability to your own IT environment. CVSS v3 score: 7.2 => High severity Exploitability Metrics Attack Vector Network Attack Complexity Low Privileges Required None User Interaction None Scope Metric Scope Changed Impact Metrics Confidentiality Low Integrity Low Availability None https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N