[JRASERVER-70858] Stored XSS in Add Field module - CVE-2019-20900 - Create and track feature requests for Atlassian products.

Type: Bug
Resolution: Fixed
Priority: Low (View bug fix roadmap)
Fix Version/s: 8.7.0
Affects Version/s: 8.2.1
Component/s: Administration - Fields
Labels:
- advisory
- advisory-released
- bugbounty
- cve-2019-20900
- cvss-medium
- monsters
- security
- xss

Introduced in Version:
8.02
Symptom Severity:
Severity 3 - Minor
Bug Fix Policy:
View Atlassian Server bug fix policy
Current Status:
Hide

Atlassian Update – 01 February 2021

Hi,

We’ve analyzed this issue and released a fix for it in Jira 8.7 and later, including the Jira 8.13 LTS release. The risk of exploiting this vulnerability is low, as it can only be exploited by someone with admin credentials.

We’re not planning to backport the fix to Jira 8.5 LTS, as it might break your current field descriptions that contain HTML, which we don’t want to do in a bugfix release. You can, however, implement the same fix manually by changing one of the Jira settings.

To fix this manually,

In Jira, go to Administration > General Configuration, and select Edit Settings.

Set the Enable HTML in field descriptions and list values setting to OFF. After disabling this setting, you will also need to update the field descriptions that contain HTML, and remove the markup. This is the breaking behavior we’ve mentioned above.

We also advise to upgrade to the latest Jira 8.13 LTS release.

Thank you,

Jira Server and Data Center Team
Show
Atlassian Update – 01 February 2021 Hi, We’ve analyzed this issue and released a fix for it in Jira 8.7 and later, including the Jira 8.13 LTS release. The risk of exploiting this vulnerability is low, as it can only be exploited by someone with admin credentials. We’re not planning to backport the fix to Jira 8.5 LTS, as it might break your current field descriptions that contain HTML, which we don’t want to do in a bugfix release. You can, however, implement the same fix manually by changing one of the Jira settings. To fix this manually, In Jira, go to Administration > General Configuration , and select Edit Settings . Set the Enable HTML in field descriptions and list values setting to OFF. After disabling this setting, you will also need to update the field descriptions that contain HTML, and remove the markup. This is the breaking behavior we’ve mentioned above. We also advise to upgrade to the latest Jira 8.13 LTS release. Thank you, Jira Server and Data Center Team

Affected versions of Atlassian Jira Server and Data Center allow remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the Add Field module.

Affected versions:

version < 8.7.0

Fixed versions:

8.7.0

relates to

JRASERVER-44458 Using JavaScript in description field should require explicit configuration

Closed

mentioned in: Page Failed to load; Page Failed to load; Page Failed to load

Filip Nowak added a comment - 01/Feb/2021 8:56 AM

Hi,

We’ve analyzed this issue and released a fix for it in Jira 8.7 and later, including the Jira 8.13 LTS release. The risk of exploiting this vulnerability is low, as it can only be exploited by someone with admin credentials.

We’re not planning to backport the fix to Jira 8.5 LTS, as it might break your current field descriptions that contain HTML, which we don’t want to do in a bugfix release. You can, however, implement the same fix manually by changing one of the Jira settings.

To fix this manually,

In Jira, go to Administration > General Configuration, and select Edit Settings.
Set the Enable HTML in field descriptions and list values setting to OFF. After disabling this setting, you will also need to update the field descriptions that contain HTML, and remove the markup. This is the breaking behavior we’ve mentioned above.

We also advise to upgrade to the latest Jira 8.13 LTS release.

Filip Nowak added a comment - 01/Feb/2021 8:56 AM Hi, We’ve analyzed this issue and released a fix for it in Jira 8.7 and later, including the Jira 8.13 LTS release. The risk of exploiting this vulnerability is low, as it can only be exploited by someone with admin credentials. We’re not planning to backport the fix to Jira 8.5 LTS, as it might break your current field descriptions that contain HTML, which we don’t want to do in a bugfix release. You can, however, implement the same fix manually by changing one of the Jira settings. To fix this manually, In Jira, go to Administration > General Configuration , and select Edit Settings . Set the Enable HTML in field descriptions and list values setting to OFF. After disabling this setting, you will also need to update the field descriptions that contain HTML, and remove the markup. This is the breaking behavior we’ve mentioned above. We also advise to upgrade to the latest Jira 8.13 LTS release.

Aleksandar Josic added a comment - 03/Dec/2020 9:57 AM - edited

Hallo Atlassian! When this issue would be fixed in ER 8.5 ???

(Question placed on 2020-12-03)

Aleksandar Josic added a comment - 03/Dec/2020 9:57 AM - edited Hallo Atlassian! When this issue would be fixed in ER 8.5 ??? (Question placed on 2020-12-03)

Kimberly Deal added a comment - 27/Aug/2020 7:02 PM

Yes, please update what the fix version for 8.5 will be.

Kimberly Deal added a comment - 27/Aug/2020 7:02 PM Yes, please update what the fix version for 8.5 will be.

SebastianB added a comment - 26/Aug/2020 10:20 AM

When will 8.5.x be fixed?

SebastianB added a comment - 26/Aug/2020 10:20 AM When will 8.5.x be fixed?

Security Metrics Bot added a comment - 02/Apr/2020 4:28 AM

This is an independent assessment and you should evaluate its applicability to your own IT environment.
CVSS v3 score: 4.8 => Medium severity

Exploitability Metrics

Attack Vector	Network
Attack Complexity	Low
Privileges Required	High
User Interaction	Required

Scope Metric

Scope	Changed

Impact Metrics

Confidentiality	Low
Integrity	Low
Availability	None

https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Security Metrics Bot added a comment - 02/Apr/2020 4:28 AM This is an independent assessment and you should evaluate its applicability to your own IT environment. CVSS v3 score: 4.8 => Medium severity Exploitability Metrics Attack Vector Network Attack Complexity Low Privileges Required High User Interaction Required Scope Metric Scope Changed Impact Metrics Confidentiality Low Integrity Low Availability None https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Jira Data Center

Details

Description

Attachments

Issue Links

Forms

Activity

[JRASERVER-70858] Stored XSS in Add Field module - CVE-2019-20900

Collapse comment: Filip Nowak added a comment - 01/Feb/2021 8:56 AM

Expand comment: Filip Nowak added a comment - 01/Feb/2021 8:56 AM

Collapse comment: Aleksandar Josic added a comment - 03/Dec/2020 9:57 AM, Edited by Aleksandar Josic - 03/Dec/2020 9:59 AM

Expand comment: Aleksandar Josic added a comment - 03/Dec/2020 9:57 AM, Edited by Aleksandar Josic - 03/Dec/2020 9:59 AM

Collapse comment: Kimberly Deal added a comment - 27/Aug/2020 7:02 PM

Expand comment: Kimberly Deal added a comment - 27/Aug/2020 7:02 PM

Collapse comment: SebastianB added a comment - 26/Aug/2020 10:20 AM

Expand comment: SebastianB added a comment - 26/Aug/2020 10:20 AM

Collapse comment: Security Metrics Bot added a comment - 02/Apr/2020 4:28 AM

Expand comment: Security Metrics Bot added a comment - 02/Apr/2020 4:28 AM

People

Dates