The file upload feature in Atlassian Jira Server and Data Center in affected versions allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability.

      Affected versions

      • version < 8.5.4
      • 8.6.0 ≤ version ≤ 8.7.0
      • 8.7.0 ≤ version < 8.7.1

      Fixed versions

      • 8.5.4
      • 8.7.1
      • 8.8.0

            [JRASERVER-70814] Stored XSS via malicious file upload - CVE-2020-14173

            Tobias added a comment -

            Will there be a fix for LTS versions above 8.5.4?

            Tobias added a comment - Will there be a fix for LTS versions above 8.5.4?

            trtherrien added a comment -

            Does version 7.13.13 require an update and would we have to go all the way to 8.5.4?

            trtherrien added a comment - Does version 7.13.13 require an update and would we have to go all the way to 8.5.4?

            Is there any possibility that a patch will be made available, or is upgrading to unaffected version the only option?

            Darron Haworth added a comment - Is there any possibility that a patch will be made available, or is upgrading to unaffected version the only option?

            Are there any mitigation actions that can be taken for customers that are not able to upgrade imediately?

            George Georgakopoulos [Nimaworks] added a comment - Are there any mitigation actions that can be taken for customers that are not able to upgrade imediately?

            Thanks Daniel,

            can you also update the "Introduced in" field?

            Jens Kisters [APTIS] added a comment - Thanks Daniel, can you also update the "Introduced in" field?

            Good catch j.kisters574496330!

            The issue was reported against 8.6.1, even though the vulnerability also affects earlier Jira versions. We didn't update the internal ticket, so the security bot populated the field with just 8.6.1.

            The proper affected versions are listed in the description, but for consistency, I've updated the "Affected Version/s" field.

            Thanks!

            Daniel Rauf added a comment - Good catch j.kisters574496330 ! The issue was reported against 8.6.1, even though the vulnerability also affects earlier Jira versions. We didn't update the internal ticket, so the security bot populated the field with just 8.6.1. The proper affected versions are listed in the description, but for consistency, I've updated the "Affected Version/s" field. Thanks!

            Jens Kisters [APTIS] added a comment - - edited

            If the issue was introduced in 8.6, why does it need to be fixed in 8.5.4?

            Jens Kisters [APTIS] added a comment - - edited If the issue was introduced in 8.6, why does it need to be fixed in 8.5.4?

            This is an independent assessment and you should evaluate its applicability to your own IT environment.
            CVSS v3 score: 7.1 => High severity

            Exploitability Metrics

            Attack Vector Network
            Attack Complexity High
            Privileges Required Low
            User Interaction Required

            Scope Metric

            Scope Unchanged

            Impact Metrics

            Confidentiality High
            Integrity High
            Availability High

            https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H

            Security Metrics Bot added a comment - This is an independent assessment and you should evaluate its applicability to your own IT environment. CVSS v3 score: 7.1 => High severity Exploitability Metrics Attack Vector Network Attack Complexity High Privileges Required Low User Interaction Required Scope Metric Scope Unchanged Impact Metrics Confidentiality High Integrity High Availability High https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H

              Unassigned Unassigned
              security-metrics-bot Security Metrics Bot
              Affected customers:
              0 This affects my team
              Watchers:
              14 Start watching this issue

                Created:
                Updated:
                Resolved: