[%22Issue] JMX monitoring flag in Jira was vulnerable to XSRF/CSRF - CVE-2019-20405 - Create and track feature requests for Atlassian products.

Type: Bug
Resolution: Fixed
Priority: Low
Fix Version/s: 8.6.0
Affects Version/s: 7.13.0
Component/s: System Administration - Secure Administrator Sessions
Labels:
- advisory
- advisory-released
- bugbounty
- csrf
- cve-2019-20405
- cvss-low
- security

Introduced in Version:
7.13
Symptom Severity:
Severity 3 - Minor
Bug Fix Policy:
View Atlassian Server bug fix policy

The JMX monitoring flag in Atlassian Jira Server and Data Center before version 8.6.0 allows remote attackers to turn the JMX monitoring flag off or on via a Cross-site request forgery (CSRF) vulnerability.

mentioned in: Page Failed to load; Page Failed to load; Page Failed to load; Page Failed to load; Page Failed to load; Page Loading...

(1 mentioned in)

Sherryl Radbil added a comment - 12/Aug/2020 3:00 PM

So it turns out that the vulnerability we are discussing is NOT Low but rather medium.
Please see the official page:
https://nvd.nist.gov/vuln/detail/CVE-2019-20405
You will see this is not 3.4 Low, but 4.3 Medium.

Please re-evaluate your stance to abandon people who are on the LTS and put the fix in there ASAP.

Sherryl Radbil added a comment - 12/Aug/2020 3:00 PM So it turns out that the vulnerability we are discussing is NOT Low but rather medium. Please see the official page: https://nvd.nist.gov/vuln/detail/CVE-2019-20405 You will see this is not 3.4 Low, but 4.3 Medium. Please re-evaluate your stance to abandon people who are on the LTS and put the fix in there ASAP.

Sherryl Radbil added a comment - 21/Jul/2020 6:35 PM

According to Security Bug Fix Policy

Low severity bugs (CVSS v2 score < 3, CVSS v3 score < 4) to be fixed in product within 25 weeks of being reported

It has been more than 25 weeks since this ticket was opened.
When will there be a fix to the 8.5 Long Term Support release?

Sherryl Radbil added a comment - 21/Jul/2020 6:35 PM According to Security Bug Fix Policy Low severity bugs (CVSS v2 score < 3, CVSS v3 score < 4) to be fixed in product within 25 weeks of being reported It has been more than 25 weeks since this ticket was opened. When will there be a fix to the 8.5 Long Term Support release?

Andrew Zimmerman added a comment - 28/May/2020 7:45 PM

Does a version of Jira Server 8.5.x remediate this risk?

Andrew Zimmerman added a comment - 28/May/2020 7:45 PM Does a version of Jira Server 8.5.x remediate this risk?

Deleted Account (Inactive) added a comment - 04/Mar/2020 5:32 PM

I see now that the enterprise releases might only receive fixes for critical severity issues.

Deleted Account (Inactive) added a comment - 04/Mar/2020 5:32 PM I see now that the enterprise releases might only receive fixes for critical severity issues.

Deleted Account (Inactive) added a comment - 21/Feb/2020 4:01 PM

Why is this closed without a fix for enterprise version 7.13.x?

Deleted Account (Inactive) added a comment - 21/Feb/2020 4:01 PM Why is this closed without a fix for enterprise version 7.13.x?

Thorsten Stöhr added a comment - 07/Feb/2020 7:46 AM

Will you provide a fix for Enterprise release 8.5?

Thx

Thorsten Stöhr added a comment - 07/Feb/2020 7:46 AM Will you provide a fix for Enterprise release 8.5? Thx

Security Metrics Bot added a comment - 30/Jan/2020 10:24 PM

This is an independent assessment and you should evaluate its applicability to your own IT environment.
CVSS v3 score: 3.4 => Low severity

Exploitability Metrics

Attack Vector	Network
Attack Complexity	High
Privileges Required	None
User Interaction	Required

Scope Metric

Scope	Changed

Impact Metrics

Confidentiality	None
Integrity	Low
Availability	None

https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:L/A:N

Security Metrics Bot added a comment - 30/Jan/2020 10:24 PM This is an independent assessment and you should evaluate its applicability to your own IT environment. CVSS v3 score: 3.4 => Low severity Exploitability Metrics Attack Vector Network Attack Complexity High Privileges Required None User Interaction Required Scope Metric Scope Changed Impact Metrics Confidentiality None Integrity Low Availability None https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:L/A:N

Assignee:: Unassigned

Reporter:: Security Metrics Bot

Affected customers:: 0 This affects my team

Watchers:: 8 Start watching this issue

Created:: 30/Jan/2020 10:24 PM

Updated:: 13/May/2021 3:43 PM

Resolved:: 31/Jan/2020 6:45 PM

Details

Description

Attachments

Issue Links

Forms

Activity

[JRASERVER-70570] JMX monitoring flag in Jira was vulnerable to XSRF/CSRF - CVE-2019-20405

Collapse comment: Sherryl Radbil added a comment - 12/Aug/2020 3:00 PM

Expand comment: Sherryl Radbil added a comment - 12/Aug/2020 3:00 PM

Collapse comment: Sherryl Radbil added a comment - 21/Jul/2020 6:35 PM

Expand comment: Sherryl Radbil added a comment - 21/Jul/2020 6:35 PM

Collapse comment: Andrew Zimmerman added a comment - 28/May/2020 7:45 PM

Expand comment: Andrew Zimmerman added a comment - 28/May/2020 7:45 PM

Collapse comment: Deleted Account (Inactive) added a comment - 04/Mar/2020 5:32 PM

Expand comment: Deleted Account (Inactive) added a comment - 04/Mar/2020 5:32 PM

Collapse comment: Deleted Account (Inactive) added a comment - 21/Feb/2020 4:01 PM

Expand comment: Deleted Account (Inactive) added a comment - 21/Feb/2020 4:01 PM

Collapse comment: Thorsten Stöhr added a comment - 07/Feb/2020 7:46 AM

Expand comment: Thorsten Stöhr added a comment - 07/Feb/2020 7:46 AM

Collapse comment: Security Metrics Bot added a comment - 30/Jan/2020 10:24 PM

Expand comment: Security Metrics Bot added a comment - 30/Jan/2020 10:24 PM

People

Dates