Uploaded image for project: 'Jira Server and Data Center'
  1. Jira Server and Data Center
  2. JRASERVER-70858

Stored XSS in Add Field module - CVE-2019-20900

    XMLWordPrintable

    Details

    • Introduced in Version:
      8.02
    • Symptom Severity:
      Severity 3 - Minor
    • Bug Fix Policy:
    • Current Status:
      Hide

       

      Atlassian Update – 01 February 2021

       
      Hi,

      We’ve analyzed this issue and released a fix for it in Jira 8.7 and later, including the Jira 8.13 LTS release. The risk of exploiting this vulnerability is low, as it can only be exploited by someone with admin credentials.

      We’re not planning to backport the fix to Jira 8.5 LTS, as it might break your current field descriptions that contain HTML, which we don’t want to do in a bugfix release. You can, however, implement the same fix manually by changing one of the Jira settings.

      To fix this manually,

      1. In Jira, go to Administration > General Configuration, and select Edit Settings.
      2. Set the Enable HTML in field descriptions and list values setting to OFF. After disabling this setting, you will also need to update the field descriptions that contain HTML, and remove the markup. This is the breaking behavior we’ve mentioned above.

      We also advise to upgrade to the latest Jira 8.13 LTS release.

       

      Thank you,

      Jira Server and Data Center Team

      Show
        Atlassian Update – 01 February 2021   Hi, We’ve analyzed this issue and released a fix for it in Jira 8.7 and later, including the Jira 8.13 LTS release. The risk of exploiting this vulnerability is low, as it can only be exploited by someone with admin credentials. We’re not planning to backport the fix to Jira 8.5 LTS, as it might break your current field descriptions that contain HTML, which we don’t want to do in a bugfix release. You can, however, implement the same fix manually by changing one of the Jira settings. To fix this manually, In Jira, go to Administration > General Configuration , and select Edit Settings . Set the Enable HTML in field descriptions and list values setting to OFF. After disabling this setting, you will also need to update the field descriptions that contain HTML, and remove the markup. This is the breaking behavior we’ve mentioned above. We also advise to upgrade to the latest Jira 8.13 LTS release.   Thank you, Jira Server and Data Center Team

      Description

      Affected versions of Atlassian Jira Server and Data Center allow remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the Add Field module.

      Affected versions:

      • version < 8.7.0

      Fixed versions:

      • 8.7.0

        Attachments

          Issue Links

          relates to

          Suggestion - JRASERVER-44458 Using JavaScript in description field should require explicit configuration

          • Closed
          mentioned in

          Page Loading...

          Page Loading...

          Page Loading...

            Activity

              People

              Assignee:
              Unassigned Unassigned
              Reporter:
              security-metrics-bot Security Metrics Bot
              Votes:
              0 Vote for this issue
              Watchers:
              13 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: