Loading...

XML

Word

Printable

Details

Type: Bug
Resolution: Fixed
Priority: Low
Fix Version/s: 8.7.0
Affects Version/s: 8.2.1
Component/s: Administration - Fields
Labels:
- advisory
- advisory-released
- bugbounty
- cve-2019-20900
- cvss-medium
- monsters
- security
- xss

Introduced in Version:
8.02
Symptom Severity:
Severity 3 - Minor
Bug Fix Policy:
View Atlassian Server bug fix policy
Current Status:
Hide

Atlassian Update – 01 February 2021

Hi,

We’ve analyzed this issue and released a fix for it in Jira 8.7 and later, including the Jira 8.13 LTS release. The risk of exploiting this vulnerability is low, as it can only be exploited by someone with admin credentials.

We’re not planning to backport the fix to Jira 8.5 LTS, as it might break your current field descriptions that contain HTML, which we don’t want to do in a bugfix release. You can, however, implement the same fix manually by changing one of the Jira settings.

To fix this manually,

In Jira, go to Administration > General Configuration, and select Edit Settings.

Set the Enable HTML in field descriptions and list values setting to OFF. After disabling this setting, you will also need to update the field descriptions that contain HTML, and remove the markup. This is the breaking behavior we’ve mentioned above.

We also advise to upgrade to the latest Jira 8.13 LTS release.

Thank you,

Jira Server and Data Center Team
Show
Atlassian Update – 01 February 2021 Hi, We’ve analyzed this issue and released a fix for it in Jira 8.7 and later, including the Jira 8.13 LTS release. The risk of exploiting this vulnerability is low, as it can only be exploited by someone with admin credentials. We’re not planning to backport the fix to Jira 8.5 LTS, as it might break your current field descriptions that contain HTML, which we don’t want to do in a bugfix release. You can, however, implement the same fix manually by changing one of the Jira settings. To fix this manually, In Jira, go to Administration > General Configuration , and select Edit Settings . Set the Enable HTML in field descriptions and list values setting to OFF. After disabling this setting, you will also need to update the field descriptions that contain HTML, and remove the markup. This is the breaking behavior we’ve mentioned above. We also advise to upgrade to the latest Jira 8.13 LTS release. Thank you, Jira Server and Data Center Team

Description

Affected versions of Atlassian Jira Server and Data Center allow remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the Add Field module.

Affected versions:

version < 8.7.0

Fixed versions:

8.7.0

Attachments

Issue Links

relates to

JRASERVER-44458 Using JavaScript in description field should require explicit configuration

Closed

mentioned in: Page Loading...; Page Loading...; Page Loading...

Activity

People

Assignee:: Unassigned

Reporter:: Security Metrics Bot

Votes:: 0 Vote for this issue

Watchers:: 13 Start watching this issue

Dates

Created:: 02/Apr/2020 4:28 AM

Updated:: 01/Feb/2021 8:56 AM

Resolved:: 02/Apr/2020 4:30 AM