Loading...

XML

Word

Printable

Details

Type: Bug
Resolution: Fixed
Priority: Low
Fix Version/s: 8.5.4, 8.8.0, 7.13.14, 8.7.2
Affects Version/s: 8.5.3, 7.13.13, 8.7.1
Component/s: Installation
Labels:

Fixed in Long Term Support Release/s:

Download 7.13, 8.5
Introduced in Version:
7.13
Symptom Severity:
Severity 3 - Minor
Bug Fix Policy:
View Atlassian Server bug fix policy

Description

Issue Summary

Jira uses Bouncy Castle library in version 1.50 that's vulnerable to 10 CVEs:

https://www.cvedetails.com/cve/CVE-2015-7940/
https://www.cvedetails.com/cve/CVE-2016-1000338/
https://www.cvedetails.com/cve/CVE-2016-1000339/
https://www.cvedetails.com/cve/CVE-2016-1000341/
https://www.cvedetails.com/cve/CVE-2016-1000342/
https://www.cvedetails.com/cve/CVE-2016-1000343/
https://www.cvedetails.com/cve/CVE-2016-1000344/
https://www.cvedetails.com/cve/CVE-2016-1000345/
https://www.cvedetails.com/cve/CVE-2016-1000346/
https://www.cvedetails.com/cve/CVE-2016-1000352/

It is not clear if any of the vulnerabilities can actually be abused by an attacker.

The library should be updated to at least version 1.56 to fix those CVEs.
However, that version has other known vulnerabilities, so it's recommended to update it to at least 1.61.

Workaround

There is no known workaround for this behavior.

Attachments

Issue Links

relates to: MNSTR-3657 Loading...

Activity

People

Assignee:: Daniel Rauf

Reporter:: Daniel Rauf

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Due:: 27/May/2020

Created:: 21/Feb/2020 8:37 AM

Updated:: 01/Sep/2023 1:10 PM

Resolved:: 19/Mar/2020 4:03 PM