Uploaded image for project: 'Jira Data Center'
  1. Jira Data Center
  2. JRASERVER-70943

Application DoS via the /rendering/wiki endpoint - CVE-2019-20418

XMLWordPrintable

      Affected versions of Atlassian Jira Server and Data Center allow remote attackers to prevent users from accessing the instance via an Application Denial of Service vulnerability in the /rendering/wiki endpoint.

      Affected versions

      • version < 8.8.0

      Fixed versions

      • 8.8.0

            [JRASERVER-70943] Application DoS via the /rendering/wiki endpoint - CVE-2019-20418

            Tobias added a comment -

            It is fixed with 8.5.7 LTS Version. See above "Fixed in Version/s:"

            Tobias added a comment - It is fixed with 8.5.7 LTS Version. See above "Fixed in Version/s:"

            Deleted Account (Inactive) added a comment -

            Jira LTS v8.5.7 just released by Atlassian. However, it seems like the issue is NOT listed as one of the bugs that fixed in Jira v8.5.7.

            https://confluence.atlassian.com/jirasoftware/issues-resolved-in-8-5-7-1018767308.html

            Deleted Account (Inactive) added a comment - Jira LTS v8.5.7 just released by Atlassian. However, it seems like the issue is NOT listed as one of the bugs that fixed in Jira v8.5.7. https://confluence.atlassian.com/jirasoftware/issues-resolved-in-8-5-7-1018767308.html

            AB added a comment -

            Hi gonchik and 5064ec03ce9c, the bug is currently being backported to Jira LTS 8.5.7. The current ETA to release 8.5.7 publicly is on August 10th, however please notice this is not yet an official announcement and the date is subject to change.

            AB added a comment - Hi gonchik  and 5064ec03ce9c , the bug is currently being backported to Jira LTS  8.5.7 . The current ETA to release 8.5.7 publicly is on  August 10th , however please notice this is not yet an official announcement and the date is subject to change.

            Open Systems AG added a comment -

            please notify of expected 8.5.x backport plans

            Open Systems AG added a comment - please notify of expected 8.5.x backport plans

            Gonchik Tsymzhitov added a comment -

            Any plans to make a backport to 8.5. release ?

            Gonchik Tsymzhitov added a comment - Any plans to make a backport to 8.5. release ?

            Security Metrics Bot added a comment -

            This is an independent assessment and you should evaluate its applicability to your own IT environment.
            CVSS v3 score: 6.5 => Medium severity

            Exploitability Metrics

            Attack Vector Network
            Attack Complexity Low
            Privileges Required Low
            User Interaction None

            Scope Metric

            Scope Unchanged

            Impact Metrics

            Confidentiality None
            Integrity None
            Availability High

            https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

            Security Metrics Bot added a comment - This is an independent assessment and you should evaluate its applicability to your own IT environment. CVSS v3 score: 6.5 => Medium severity Exploitability Metrics Attack Vector Network Attack Complexity Low Privileges Required Low User Interaction None Scope Metric Scope Unchanged Impact Metrics Confidentiality None Integrity None Availability High https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

              Unassigned Unassigned
              security-metrics-bot Security Metrics Bot
              Affected customers:
              0 This affects my team
              Watchers:
              7 Start watching this issue

                Created:
                Updated:
                Resolved: