-
Bug
-
Resolution: Fixed
-
Low (View bug fix roadmap)
-
7.6.0, 7.13.0, 7.6.15, 8.5.1, 7.13.12, 8.7.0, 8.6.1, 8.5.3
-
7.06
-
Severity 2 - Major
-
The file upload feature in Atlassian Jira Server and Data Center in affected versions allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability.
Affected versions
- version < 8.5.4
- 8.6.0 ≤ version ≤ 8.7.0
- 8.7.0 ≤ version < 8.7.1
Fixed versions
- 8.5.4
- 8.7.1
- 8.8.0
[JRASERVER-70814] Stored XSS via malicious file upload - CVE-2020-14173
Does version 7.13.13 require an update and would we have to go all the way to 8.5.4?
Is there any possibility that a patch will be made available, or is upgrading to unaffected version the only option?
Are there any mitigation actions that can be taken for customers that are not able to upgrade imediately?
Thanks Daniel,
can you also update the "Introduced in" field?
Good catch j.kisters574496330!
The issue was reported against 8.6.1, even though the vulnerability also affects earlier Jira versions. We didn't update the internal ticket, so the security bot populated the field with just 8.6.1.
The proper affected versions are listed in the description, but for consistency, I've updated the "Affected Version/s" field.
Thanks!
If the issue was introduced in 8.6, why does it need to be fixed in 8.5.4?
This is an independent assessment and you should evaluate its applicability to your own IT environment.
CVSS v3 score: 7.1 => High severity
Exploitability Metrics
| Attack Vector | Network |
|---|---|
| Attack Complexity | High |
| Privileges Required | Low |
| User Interaction | Required |
Scope Metric
| Scope | Unchanged |
|---|
Impact Metrics
| Confidentiality | High |
|---|---|
| Integrity | High |
| Availability | High |
https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H
Will there be a fix for LTS versions above 8.5.4?