Uploaded image for project: 'Jira Data Center'
  1. Jira Data Center
  2. JRASERVER-70858

Stored XSS in Add Field module - CVE-2019-20900

XMLWordPrintable

    • 8.02
    • Severity 3 - Minor
    • Hide

       

      Atlassian Update – 01 February 2021

       
      Hi,

      We’ve analyzed this issue and released a fix for it in Jira 8.7 and later, including the Jira 8.13 LTS release. The risk of exploiting this vulnerability is low, as it can only be exploited by someone with admin credentials.

      We’re not planning to backport the fix to Jira 8.5 LTS, as it might break your current field descriptions that contain HTML, which we don’t want to do in a bugfix release. You can, however, implement the same fix manually by changing one of the Jira settings.

      To fix this manually,

      1. In Jira, go to Administration > General Configuration, and select Edit Settings.
      2. Set the Enable HTML in field descriptions and list values setting to OFF. After disabling this setting, you will also need to update the field descriptions that contain HTML, and remove the markup. This is the breaking behavior we’ve mentioned above.

      We also advise to upgrade to the latest Jira 8.13 LTS release.

       

      Thank you,

      Jira Server and Data Center Team

      Show
        Atlassian Update – 01 February 2021   Hi, We’ve analyzed this issue and released a fix for it in Jira 8.7 and later, including the Jira 8.13 LTS release. The risk of exploiting this vulnerability is low, as it can only be exploited by someone with admin credentials. We’re not planning to backport the fix to Jira 8.5 LTS, as it might break your current field descriptions that contain HTML, which we don’t want to do in a bugfix release. You can, however, implement the same fix manually by changing one of the Jira settings. To fix this manually, In Jira, go to Administration > General Configuration , and select Edit Settings . Set the Enable HTML in field descriptions and list values setting to OFF. After disabling this setting, you will also need to update the field descriptions that contain HTML, and remove the markup. This is the breaking behavior we’ve mentioned above. We also advise to upgrade to the latest Jira 8.13 LTS release.   Thank you, Jira Server and Data Center Team

      Affected versions of Atlassian Jira Server and Data Center allow remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the Add Field module.

      Affected versions:

      • version < 8.7.0

      Fixed versions:

      • 8.7.0

            [JRASERVER-70858] Stored XSS in Add Field module - CVE-2019-20900

            Filip Nowak made changes -
            Current Status New:  
            {panel:title=Atlassian Update – 01 February 2021|borderStyle=solid|borderColor=#ebf2f9|titleBGColor=#ebf2f9|bgColor=#ffffff}
            {panel}
             
             Hi,

            We’ve analyzed this issue and released a fix for it in Jira 8.7 and later, including the Jira 8.13 LTS release. The risk of exploiting this vulnerability is low, as it can only be exploited by someone with admin credentials.

            We’re not planning to backport the fix to Jira 8.5 LTS, as it might break your current field descriptions that contain HTML, which we don’t want to do in a bugfix release. You can, however, implement the same fix manually by changing one of the Jira settings.

            To fix this manually,
             # In Jira, go to *Administration > General Configuration*, and select *Edit Settings*.
             # Set the *Enable HTML in field descriptions and list values* setting to OFF. After disabling this setting, you will also need to update the field descriptions that contain HTML, and remove the markup. This is the breaking behavior we’ve mentioned above.

            We also advise to upgrade to the latest Jira 8.13 LTS release.

             

            Thank you,

            Jira Server and Data Center Team

            Filip Nowak added a comment -

            Hi,

            We’ve analyzed this issue and released a fix for it in Jira 8.7 and later, including the Jira 8.13 LTS release. The risk of exploiting this vulnerability is low, as it can only be exploited by someone with admin credentials.

            We’re not planning to backport the fix to Jira 8.5 LTS, as it might break your current field descriptions that contain HTML, which we don’t want to do in a bugfix release. You can, however, implement the same fix manually by changing one of the Jira settings.

            To fix this manually,

            1. In Jira, go to Administration > General Configuration, and select Edit Settings.
            2. Set the Enable HTML in field descriptions and list values setting to OFF. After disabling this setting, you will also need to update the field descriptions that contain HTML, and remove the markup. This is the breaking behavior we’ve mentioned above.

            We also advise to upgrade to the latest Jira 8.13 LTS release.

            Filip Nowak added a comment - Hi, We’ve analyzed this issue and released a fix for it in Jira 8.7 and later, including the Jira 8.13 LTS release. The risk of exploiting this vulnerability is low, as it can only be exploited by someone with admin credentials. We’re not planning to backport the fix to Jira 8.5 LTS, as it might break your current field descriptions that contain HTML, which we don’t want to do in a bugfix release. You can, however, implement the same fix manually by changing one of the Jira settings. To fix this manually, In Jira, go to Administration > General Configuration , and select Edit Settings . Set the Enable HTML in field descriptions and list values setting to OFF. After disabling this setting, you will also need to update the field descriptions that contain HTML, and remove the markup. This is the breaking behavior we’ve mentioned above. We also advise to upgrade to the latest Jira 8.13 LTS release.

            Aleksandar Josic added a comment - - edited

            Hallo Atlassian! When this issue would be fixed in ER 8.5 ???

            (Question placed on 2020-12-03)

            Aleksandar Josic added a comment - - edited Hallo Atlassian! When this issue would be fixed in ER 8.5 ??? (Question placed on 2020-12-03)
            David Black made changes -
            Labels Original: advisory advisory-to-release bugbounty cve-2019-20900 cvss-medium monsters security xss New: advisory advisory-released bugbounty cve-2019-20900 cvss-medium monsters security xss
            Mark Lang made changes -
            Remote Link New: This issue links to "Page (Confluence)" [ 508995 ]

            Kimberly Deal added a comment -

            Yes, please update what the fix version for 8.5 will be.

            Kimberly Deal added a comment - Yes, please update what the fix version for 8.5 will be.

            SebastianB added a comment -

            When will 8.5.x be fixed?

             

            SebastianB added a comment - When will 8.5.x be fixed?  
            Tilwin Joy (Inactive) made changes -
            Remote Link New: This issue links to "Page (Confluence)" [ 500695 ]
            Mark Lang made changes -
            Remote Link New: This issue links to "Page (Confluence)" [ 500447 ]
            AB made changes -
            Summary Original: Stored XSS in Add Field module New: Stored XSS in Add Field module - CVE-2019-20900

              Unassigned Unassigned
              security-metrics-bot Security Metrics Bot
              Affected customers:
              0 This affects my team
              Watchers:
              13 Start watching this issue

                Created:
                Updated:
                Resolved: