[JRASERVER-70945] DLL hijacking in Jira Server & JSD via Tomcat - CVE-2019-20419 - Create and track feature requests for Atlassian products.

Type: Bug
Resolution: Fixed
Priority: Low (View bug fix roadmap)
Fix Version/s: 8.8.0, 8.7.2, 8.5.5
Affects Version/s: 8.5.2, 8.6.0, 8.7.0, 8.6.1
Component/s: Data Center - Installer, Installation, System Administration - Others
Labels:

Fixed in Long Term Support Release/s:

Download 8.5
Introduced in Version:
8.05
Symptom Severity:
Severity 2 - Major
Bug Fix Policy:
View Atlassian Server bug fix policy

Affected versions of Atlassian Jira Server and Data Center allow remote attackers to execute arbitrary code via a DLL hijacking vulnerability in Tomcat.

Affected versions:

version < 8.5.5
8.6.0 ≤ version < 8.7.2

Fixed versions:

8.5.5
8.7.2
8.8.0

mentioned in: Page Failed to load; Page Failed to load

Gertrude Dogendorf added a comment - 12/Apr/2021 7:05 PM

Hello. please confirm that removing this this vulnerability doesn't require to upgrade to 8.8 before upgrading to 8.13.x

Gertrude Dogendorf added a comment - 12/Apr/2021 7:05 PM Hello. please confirm that removing this this vulnerability doesn't require to upgrade to 8.8 before upgrading to 8.13.x

Gonchik Tsymzhitov added a comment - 02/May/2020 8:33 PM

Looks like it's next iteration of that ~~JRASERVER-70407~~

mdoar2yes

Gonchik Tsymzhitov added a comment - 02/May/2020 8:33 PM Looks like it's next iteration of that JRASERVER-70407 mdoar2 yes

Matt Doar added a comment - 22/Apr/2020 7:41 PM

Windows only right?

Matt Doar added a comment - 22/Apr/2020 7:41 PM Windows only right?

Security Metrics Bot added a comment - 22/Apr/2020 1:56 AM

This is an independent assessment and you should evaluate its applicability to your own IT environment.
CVSS v3 score: 4.2 => Medium severity

Exploitability Metrics

Attack Vector	Local
Attack Complexity	High
Privileges Required	Low
User Interaction	None

Scope Metric

Scope	Changed

Impact Metrics

Confidentiality	Low
Integrity	Low
Availability	None

https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N

Security Metrics Bot added a comment - 22/Apr/2020 1:56 AM This is an independent assessment and you should evaluate its applicability to your own IT environment. CVSS v3 score: 4.2 => Medium severity Exploitability Metrics Attack Vector Local Attack Complexity High Privileges Required Low User Interaction None Scope Metric Scope Changed Impact Metrics Confidentiality Low Integrity Low Availability None https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N

Assignee:: Unassigned

Reporter:: Security Metrics Bot

Affected customers:: 0 This affects my team

Watchers:: 5 Start watching this issue

Created:: 22/Apr/2020 1:56 AM

Updated:: 12/Apr/2021 7:05 PM

Resolved:: 22/Apr/2020 1:58 AM

Jira Data Center

Details

Description

Attachments

Issue Links

Forms

Activity

[JRASERVER-70945] DLL hijacking in Jira Server & JSD via Tomcat - CVE-2019-20419

Collapse comment: Gertrude Dogendorf added a comment - 12/Apr/2021 7:05 PM

Expand comment: Gertrude Dogendorf added a comment - 12/Apr/2021 7:05 PM

Collapse comment: Gonchik Tsymzhitov added a comment - 02/May/2020 8:33 PM

Expand comment: Gonchik Tsymzhitov added a comment - 02/May/2020 8:33 PM

Collapse comment: Matt Doar added a comment - 22/Apr/2020 7:41 PM

Expand comment: Matt Doar added a comment - 22/Apr/2020 7:41 PM

Collapse comment: Security Metrics Bot added a comment - 22/Apr/2020 1:56 AM

Expand comment: Security Metrics Bot added a comment - 22/Apr/2020 1:56 AM

People

Dates