• Type: Bug
• Resolution: Fixed
• Priority: Low (View bug fix roadmap)
• Fix Version/s: 8.7.0, 8.5.4
• Affects Version/s: 7.6.15
• Component/s: System Administration - Others
• Labels:

  • CVE-2019-20098
  • advisory
  • advisory-released
  • csrf
  • cvss-medium
  • security

[JRASERVER-70605] CSRF in VerifySmtpServerConnection!add.jspa - CVE-2019-20098

Collapse comment: APACIT Chubb added a comment - 15/Apr/2020 9:54 AM

APACIT Chubb added a comment - 15/Apr/2020 9:54 AM

Has this been ported back to Enterprise Release 7.13 ?

Expand comment: APACIT Chubb added a comment - 15/Apr/2020 9:54 AM

APACIT Chubb added a comment - 15/Apr/2020 9:54 AM Has this been ported back to Enterprise Release 7.13 ?

Collapse comment: Robert Conrad added a comment - 03/Apr/2020 6:17 AM

Robert Conrad added a comment - 03/Apr/2020 6:17 AM

@Michael Aglas: Please check End of Life policies for Enterprise Releases.

Expand comment: Robert Conrad added a comment - 03/Apr/2020 6:17 AM

Robert Conrad added a comment - 03/Apr/2020 6:17 AM @Michael Aglas: Please check End of Life policies for Enterprise Releases .

Collapse comment: Michael Aglas added a comment - 26/Mar/2020 6:47 AM

Michael Aglas added a comment - 26/Mar/2020 6:47 AM

@robert.conrad who is still using Jira 7x? there are more CVEs solved meanwhile, so you should really think about upgrading to latest version

due to the success of Jira it's meanwhile in the focus for remote attackers, you should not underrate this fact

Expand comment: Michael Aglas added a comment - 26/Mar/2020 6:47 AM

Michael Aglas added a comment - 26/Mar/2020 6:47 AM @robert.conrad who is still using Jira 7x? there are more CVEs solved meanwhile, so you should really think about upgrading to latest version due to the success of Jira it's meanwhile in the focus for remote attackers, you should not underrate this fact

Collapse comment: Robert Conrad added a comment - 17/Mar/2020 2:18 PM

Robert Conrad added a comment - 17/Mar/2020 2:18 PM

According to this ticket the Introduced in Version is 7.6.

When can we expect a fix for the previous (and still valid) Enterprise Release 7.13?

Expand comment: Robert Conrad added a comment - 17/Mar/2020 2:18 PM

Robert Conrad added a comment - 17/Mar/2020 2:18 PM According to this ticket the Introduced in Version is 7.6. When can we expect a fix for the previous (and still valid) Enterprise Release 7.13?

Collapse comment: Anurag Jalan added a comment - 17/Mar/2020 7:04 AM

Anurag Jalan added a comment - 17/Mar/2020 7:04 AM

Any interim solution for this?

Expand comment: Anurag Jalan added a comment - 17/Mar/2020 7:04 AM

Anurag Jalan added a comment - 17/Mar/2020 7:04 AM Any interim solution for this?

Collapse comment: Babiel GmbH added a comment - 11/Mar/2020 3:28 PM

Babiel GmbH added a comment - 11/Mar/2020 3:28 PM

Hi there,

since this bug is more than a month old and still no release of version 8.5.4, when will it be available?

Regards, Christian

Expand comment: Babiel GmbH added a comment - 11/Mar/2020 3:28 PM

Babiel GmbH added a comment - 11/Mar/2020 3:28 PM Hi there, since this bug is more than a month old and still no release of version 8.5.4, when will it be available? Regards, Christian

Collapse comment: Mateusz Marzęcki added a comment - 21/Feb/2020 2:14 PM

Mateusz Marzęcki added a comment - 21/Feb/2020 2:14 PM

Dimitri, Adrian, Stefan, everyone, 

 

Thanks for your feedback, I am glad to announce that the fix has been backported to the 8.5.4 and 8.6.2 and will be available soon.

 

Thanks, 

Mateusz

Jira Server

Expand comment: Mateusz Marzęcki added a comment - 21/Feb/2020 2:14 PM

Mateusz Marzęcki added a comment - 21/Feb/2020 2:14 PM Dimitri, Adrian, Stefan, everyone,    Thanks for your feedback, I am glad to announce that the fix has been backported to the 8.5.4 and 8.6.2 and will be available soon.   Thanks,  Mateusz Jira Server

Collapse comment: Deleted Account (Inactive) added a comment - 21/Feb/2020 8:46 AM

Deleted Account (Inactive) added a comment - 21/Feb/2020 8:46 AM

Same question from my side!

Expand comment: Deleted Account (Inactive) added a comment - 21/Feb/2020 8:46 AM

Deleted Account (Inactive) added a comment - 21/Feb/2020 8:46 AM Same question from my side!

Collapse comment: Dimitri added a comment - 11/Feb/2020 4:26 PM

Dimitri added a comment - 11/Feb/2020 4:26 PM

Will this, JRASERVER-70606, and JRASERVER-70607 be ported to the 8.5.x enterprise release as well or just 8.7.x?

Expand comment: Dimitri added a comment - 11/Feb/2020 4:26 PM

Dimitri added a comment - 11/Feb/2020 4:26 PM Will this, JRASERVER-70606 , and JRASERVER-70607 be ported to the 8.5.x enterprise release as well or just 8.7.x?

Collapse comment: Security Metrics Bot added a comment - 05/Feb/2020 4:02 PM

Security Metrics Bot added a comment - 05/Feb/2020 4:02 PM

This is an independent assessment and you should evaluate its applicability to your own IT environment.
CVSS v3 score: 4.7 => Medium severity

Exploitability Metrics

Attack Vector	Network
Attack Complexity	Low
Privileges Required	None
User Interaction	Required

Scope Metric

Scope	Changed

Impact Metrics

Confidentiality	Low
Integrity	None
Availability	None

https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N

Expand comment: Security Metrics Bot added a comment - 05/Feb/2020 4:02 PM

Security Metrics Bot added a comment - 05/Feb/2020 4:02 PM This is an independent assessment and you should evaluate its applicability to your own IT environment. CVSS v3 score: 4.7 => Medium severity Exploitability Metrics Attack Vector Network Attack Complexity Low Privileges Required None User Interaction Required Scope Metric Scope Changed Impact Metrics Confidentiality Low Integrity None Availability None https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N