Uploaded image for project: 'Jira Data Center'
  1. Jira Data Center
  2. JRASERVER-70971

RCE in jackson-databind

XMLWordPrintable

      Issue Summary

      Jira Server used a vulnerable version of jackson-databind .
      In specific, the issue was present in FasterXML jackson-databind 2.x before 2.9.10.2 . More information here: https://nvd.nist.gov/vuln/detail/CVE-2019-20330.
      Upgrade jackson-databind to at least version 2.9.10.20200103 .

      Steps to Reproduce

      n/a

      Expected Results

      n/a

      Actual Results

      n/a

      Workaround

      N/A

            [JRASERVER-70971] RCE in jackson-databind

            Vinicius Fontes made changes -
            Remote Link Original: This issue links to "RAID-1938 (Bulldog)" [ 480914 ] New: This issue links to "RAID-1938 (JIRA Server (Bulldog))" [ 480914 ]
            David Black made changes -
            Description Original: h3. Issue Summary

            Jira Server using vulnerable version of jackson-databind . https://stash.atlassian.com/projects/JIRASERVER/repos/jira/browse/pom.xml#251
            FasterXML jackson-databind 2.x before 2.9.10.2 . More information here: https://nvd.nist.gov/vuln/detail/CVE-2019-20330.
            Upgrade jakson to at least version 2.9.10.20200103

            h3. Steps to Reproduce
            n/a

            h3. Expected Results
            n/a

            h3. Actual Results

            n/a

            h3. Workaround

            N/A             		New: h3. Issue Summary

            Jira Server used a vulnerable version of jackson-databind .
            In specific, the issue was present in FasterXML jackson-databind 2.x before 2.9.10.2 . More information here: https://nvd.nist.gov/vuln/detail/CVE-2019-20330.
            Upgrade jackson-databind to at least version 2.9.10.20200103 .

            h3. Steps to Reproduce
            n/a

            h3. Expected Results
            n/a

            h3. Actual Results

            n/a

            h3. Workaround

            N/A
            David Black made changes -
            Labels Original: cvss-high injection rce security vulnerable-components New: advisory advisory-released cvss-high injection rce security vulnerable-components
            Mitchell Johnson made changes -
            Security Original: Reporter and Atlassian Staff [ 10751 ]
            Ignat (Inactive) made changes -
            Resolution New: Fixed [ 1 ]
            Status Original: Waiting for Release [ 12075 ] New: Closed [ 6 ]
            set-jac-bot made changes -
            Fixed in Enterprise Release/s New: [Download 7.13, 8.5|https://confluence.atlassian.com/enterprise/atlassian-enterprise-releases-948227420.html]
            Mateusz Ostaszewski made changes -
            Fix Version/s New: 7.13.16 [ 92024 ]
            Fix Version/s New: 8.5.7 [ 92025 ]
            Fix Version/s New: 8.9.2 [ 92130 ]
            Fix Version/s New: 8.10.1 [ 92033 ]
            Mateusz Ostaszewski made changes -
            Fix Version/s New: 8.11.0 [ 92097 ]
            Mateusz Ostaszewski made changes -
            Status Original: In Progress [ 3 ] New: Waiting for Release [ 12075 ]
            Bugfix Automation Bot made changes -
            Support reference count New: 1

              mostaszewski@atlassian.com Mateusz Ostaszewski
              aminozhenko alexmin (Inactive)
              Affected customers:
              0 This affects my team
              Watchers:
              5 Start watching this issue

                Created:
                Updated:
                Resolved: