[JRASERVER-71197] Denial of service in Dashboard & Gadgets - CVE-2020-14167 - Create and track feature requests for Atlassian products.

Type: Bug
Resolution: Fixed
Priority: Low (View bug fix roadmap)
Fix Version/s: 7.13.14, 8.5.5, 8.8.2, 8.10.0, 8.9.1
Affects Version/s: 7.6.15, 8.5.4, 7.13.13, 8.8.1
Component/s: Dashboard & Gadgets
Labels:

Fixed in Long Term Support Release/s:

Download 7.13, 8.5
Introduced in Version:
7.06
Symptom Severity:
Severity 1 - Critical
Bug Fix Policy:
View Atlassian Server bug fix policy

Affected versions of Atlassian Jira Server and Data Center allow remote attackers to impact the application's availability via a Denial of Service (DoS) vulnerability in Dashboard & Gadgets.

Affected versions:

version < 7.13.14
8.5.0 ≤ version < 8.5.5
8.8.0 ≤ version < 8.8.2
8.9.0 ≤ version < 8.9.1

Fixed versions:

7.13.14
8.5.5
8.8.2
8.9.1
8.10.0

mentioned in: Page Failed to load; Page Failed to load

Nadeem Zakir added a comment - 24/Sep/2020 2:53 PM - edited

is this fixed in Jira 8.5.8?

Nadeem Zakir added a comment - 24/Sep/2020 2:53 PM - edited is this fixed in Jira 8.5.8?

Alexey Petrenok added a comment - 30/Jul/2020 10:17 AM

Hello,
Sorry for writing here, but it is quite hard to reach Atlassian employees responsible for bugbounty elsewhere.

I already asked the same question in https://jira.atlassian.com/browse/JRASERVER-70808, but I'll repeat it here in hopes to reach the right people.

This Denial of Service issue has `bugbounty` label, which clearly indicates that t was reported to you via bugbounty.

I've found DoS vulnerabilities in Jira and Confluence, which allow an unauthenticated attacker with just a single pc and average internet connection to take down entire servers.
I tried reporting one of the vulnerabilities here, but it is marked as 'Out of scope' due to `No Load testing (DoS/DDoS etc) is allowed on the instance.` However, i have not sent a single request to Atlassian servers. All testing was done on my own server.

I believe these findings are quite important to just ignore them like this.

What is the proper way to get Denial of Service bugs triaged and delivered to you?

Alexey Petrenok added a comment - 30/Jul/2020 10:17 AM Hello, Sorry for writing here, but it is quite hard to reach Atlassian employees responsible for bugbounty elsewhere. I already asked the same question in https://jira.atlassian.com/browse/JRASERVER-70808 , but I'll repeat it here in hopes to reach the right people. This Denial of Service issue has `bugbounty` label, which clearly indicates that t was reported to you via bugbounty. I've found DoS vulnerabilities in Jira and Confluence, which allow an unauthenticated attacker with just a single pc and average internet connection to take down entire servers. I tried reporting one of the vulnerabilities here , but it is marked as 'Out of scope' due to `No Load testing (DoS/DDoS etc) is allowed on the instance.` However, i have not sent a single request to Atlassian servers. All testing was done on my own server. I believe these findings are quite important to just ignore them like this. What is the proper way to get Denial of Service bugs triaged and delivered to you?

Security Metrics Bot added a comment - 18/Jun/2020 2:44 AM

This is an independent assessment and you should evaluate its applicability to your own IT environment.
CVSS v3 score: 7.5 => High severity

Exploitability Metrics

Attack Vector	Network
Attack Complexity	Low
Privileges Required	None
User Interaction	None

Scope Metric

Scope	Unchanged

Impact Metrics

Confidentiality	None
Integrity	None
Availability	High

https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Security Metrics Bot added a comment - 18/Jun/2020 2:44 AM This is an independent assessment and you should evaluate its applicability to your own IT environment. CVSS v3 score: 7.5 => High severity Exploitability Metrics Attack Vector Network Attack Complexity Low Privileges Required None User Interaction None Scope Metric Scope Unchanged Impact Metrics Confidentiality None Integrity None Availability High https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Assignee:: Unassigned

Reporter:: Security Metrics Bot

Affected customers:: 0 This affects my team

Watchers:: 5 Start watching this issue

Created:: 18/Jun/2020 2:44 AM

Updated:: 08/Mar/2021 3:48 PM

Resolved:: 19/Jun/2020 12:54 AM

Jira Data Center

Details

Description

Attachments

Issue Links

Forms

Activity

[JRASERVER-71197] Denial of service in Dashboard & Gadgets - CVE-2020-14167

Collapse comment: Nadeem Zakir added a comment - 24/Sep/2020 2:53 PM, Edited by Nadeem Zakir - 24/Sep/2020 2:53 PM

Expand comment: Nadeem Zakir added a comment - 24/Sep/2020 2:53 PM, Edited by Nadeem Zakir - 24/Sep/2020 2:53 PM

Collapse comment: Alexey Petrenok added a comment - 30/Jul/2020 10:17 AM

Expand comment: Alexey Petrenok added a comment - 30/Jul/2020 10:17 AM

Collapse comment: Security Metrics Bot added a comment - 18/Jun/2020 2:44 AM

Expand comment: Security Metrics Bot added a comment - 18/Jun/2020 2:44 AM

People

Dates