Uploaded image for project: 'Jira Data Center'
  1. Jira Data Center
  2. JRASERVER-70606

CSRF in VerifyPopServerConnection!add.jspa - CVE-2019-20099

      The VerifyPopServerConnection!add.jspa component in Atlassian Jira Server and Data Center before version 8.7.0 is vulnerable to cross-site request forgery (CSRF). An attacker could exploit this by tricking an administrative user into making malicious HTTP requests, allowing the attacker to enumerate hosts and open ports on the internal network where Jira server is present.

            [JRASERVER-70606] CSRF in VerifyPopServerConnection!add.jspa - CVE-2019-20099

            Ian Ang added a comment -

            Hi @Mateusz Marzecki, will this be fixed in Jira 7.13.x?

            Ian Ang added a comment - Hi @Mateusz Marzecki, will this be fixed in Jira 7.13.x?

            @kevin.m.lange1086566328 how do you know it is relating to VerifySmtpServerConnection!update.jspa? where you have that info from? What I read from CVE-2019-20099 it is about VerifyPopServerConnection!add.jspa, isn't it?

            I guess you refer to a workaround by doing this?
            https://confluence.atlassian.com/kb/how-to-block-access-to-a-specific-url-at-tomcat-966668691.html?_ga=2.239264650.884767796.1585122968-216934939.1575541190

            Michael Aglas added a comment - @kevin.m.lange1086566328 how do you know it is relating to VerifySmtpServerConnection!update.jspa? where you have that info from? What I read from CVE-2019-20099 it is about VerifyPopServerConnection!add.jspa, isn't it? I guess you refer to a workaround by doing this? https://confluence.atlassian.com/kb/how-to-block-access-to-a-specific-url-at-tomcat-966668691.html?_ga=2.239264650.884767796.1585122968-216934939.1575541190

            Zan Bassi added a comment -

            Hello,

            Is there a patch fix for people who are unable to update large production environments immediately? 

            Zan Bassi added a comment - Hello, Is there a patch fix for people who are unable to update large production environments immediately? 

            Rick, 

            we would like to deliver the value without sacrificing quality. The upcoming release is in the last - test phase, unfortunately, I am not able to point out specific dates when it will be available. 

            Thanks,

            Mateusz

            Jira Server

            Mateusz Marzęcki added a comment - Rick,  we would like to deliver the value without sacrificing quality. The upcoming release is in the last - test phase, unfortunately, I am not able to point out specific dates when it will be available.  Thanks, Mateusz Jira Server

            @Mateusz Marzecki, when will Jira 8.5.4 be released?

            Rick van Twillert (TMC) added a comment - @Mateusz Marzecki, when will Jira 8.5.4 be released?

            The timeline as published by Tenable (https://www.tenable.com/security/research/tra-2020-05) does not instill confidence in Atlassian Product Security nor Enterprise releases.  This is a defect from early Q4 2019, and by generous measure looks like the defect was mishandled, and we're heading into Q2 2020 with no bugfix release issued for 8.5. 

            A workaround should have been published; block access to VerifySmtpServerConnection!update.jspa path until fix is released. 

            It is also very frustrating how I discover Atlassian defects from NIST/US-CERT rather from their own security announcements (or lack thereof). 

            Kevin Lange added a comment - The timeline as published by Tenable ( https://www.tenable.com/security/research/tra-2020-05) does not instill confidence in Atlassian Product Security nor Enterprise releases.  This is a defect from early Q4 2019, and by generous measure looks like the defect was mishandled, and we're heading into Q2 2020 with no bugfix release issued for 8.5.  A workaround should have been published; block access to VerifySmtpServerConnection!update.jspa path until fix is released.  It is also very frustrating how I discover Atlassian defects from NIST/US-CERT rather from their own security announcements (or lack thereof). 

            Adrian, Stefan, everyone, 

             

            Thanks for your feedback, I am glad to announce that the fix has been backported to the 8.5.4 and 8.6.2 and will be available soon.

             

            Thanks, 

            Mateusz

            Jira Server

            Mateusz Marzęcki added a comment - Adrian, Stefan, everyone,    Thanks for your feedback, I am glad to announce that the fix has been backported to the 8.5.4 and 8.6.2 and will be available soon.   Thanks,  Mateusz Jira Server

            Why do we have Enterprise Releases when this problem is not fixed there?

            Deleted Account (Inactive) added a comment - Why do we have Enterprise Releases when this problem is not fixed there?

            This is an independent assessment and you should evaluate its applicability to your own IT environment.
            CVSS v3 score: 4.7 => Medium severity

            Exploitability Metrics

            Attack Vector Network
            Attack Complexity Low
            Privileges Required None
            User Interaction Required

            Scope Metric

            Scope Changed

            Impact Metrics

            Confidentiality Low
            Integrity None
            Availability None

            https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N

            Security Metrics Bot added a comment - This is an independent assessment and you should evaluate its applicability to your own IT environment. CVSS v3 score: 4.7 => Medium severity Exploitability Metrics Attack Vector Network Attack Complexity Low Privileges Required None User Interaction Required Scope Metric Scope Changed Impact Metrics Confidentiality Low Integrity None Availability None https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N

              Unassigned Unassigned
              security-metrics-bot Security Metrics Bot
              Affected customers:
              0 This affects my team
              Watchers:
              10 Start watching this issue

                Created:
                Updated:
                Resolved: