[JRASERVER-70407] Jira on Windows was vulnerable to DLL hijacking - CVE-2019-20400 - Create and track feature requests for Atlassian products.

Type: Bug
Resolution: Fixed
Priority: Low (View bug fix roadmap)
Fix Version/s: 8.5.2, 8.6.0
Affects Version/s: 8.3.2
Component/s: Data Center - Installer, Installation
Labels:

Fixed in Long Term Support Release/s:

Download 8.5
Introduced in Version:
8.03
Symptom Severity:
Severity 2 - Major
Bug Fix Policy:
View Atlassian Server bug fix policy

The usage of Tomcat in Jira before version 8.5.2 allows local attackers with permission to write a dll file to a directory in the global path environmental variable can inject code into via a DLL hijacking vulnerability.

Acknowledgment

We would like to thank Peleg Hadar of SafeBreach Labs for reporting this vulnerability.

mentioned in: Page Failed to load

Security Metrics Bot added a comment - 17/Dec/2019 3:19 AM

This is an independent assessment and you should evaluate its applicability to your own IT environment.
CVSS v3 score: 6.7 => Medium severity

Exploitability Metrics

Attack Vector	Local
Attack Complexity	High
Privileges Required	Low
User Interaction	Required

Scope Metric

Scope	Unchanged

Impact Metrics

Confidentiality	High
Integrity	High
Availability	High

https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H

Security Metrics Bot added a comment - 17/Dec/2019 3:19 AM This is an independent assessment and you should evaluate its applicability to your own IT environment. CVSS v3 score: 6.7 => Medium severity Exploitability Metrics Attack Vector Local Attack Complexity High Privileges Required Low User Interaction Required Scope Metric Scope Unchanged Impact Metrics Confidentiality High Integrity High Availability High https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H

Assignee:: Unassigned

Reporter:: Security Metrics Bot

Affected customers:: 0 This affects my team

Watchers:: 2 Start watching this issue

Created:: 17/Dec/2019 3:19 AM

Updated:: 22/May/2020 8:23 AM

Resolved:: 17/Dec/2019 3:20 AM

Details

Description

Acknowledgment

Attachments

Issue Links

Forms

Activity

[JRASERVER-70407] Jira on Windows was vulnerable to DLL hijacking - CVE-2019-20400

Collapse comment: Security Metrics Bot added a comment - 17/Dec/2019 3:19 AM

Expand comment: Security Metrics Bot added a comment - 17/Dec/2019 3:19 AM

People

Dates