Uploaded image for project: 'Jira Data Center'
  1. Jira Data Center
  2. JRASERVER-71197

Denial of service in Dashboard & Gadgets - CVE-2020-14167

XMLWordPrintable

      Affected versions of Atlassian Jira Server and Data Center allow remote attackers to impact the application's availability via a Denial of Service (DoS) vulnerability in Dashboard & Gadgets.

      Affected versions:

      • version < 7.13.14
      • 8.5.0 ≤ version < 8.5.5
      • 8.8.0 ≤ version < 8.8.2
      • 8.9.0 ≤ version < 8.9.1

      Fixed versions:

      • 7.13.14
      • 8.5.5
      • 8.8.2
      • 8.9.1
      • 8.10.0

            [JRASERVER-71197] Denial of service in Dashboard & Gadgets - CVE-2020-14167

            Mark Lang made changes -
            Remote Link New: This issue links to "Page (Confluence)" [ 509305 ]

            Nadeem Zakir added a comment - - edited

            is this fixed in Jira 8.5.8?

            Nadeem Zakir added a comment - - edited is this fixed in Jira 8.5.8?
            Mark Lang made changes -
            Remote Link New: This issue links to "Page (Confluence)" [ 500451 ]

            Alexey Petrenok added a comment -

            Hello,
            Sorry for writing here, but it is quite hard to reach Atlassian employees responsible for bugbounty elsewhere.

            I already asked the same question in https://jira.atlassian.com/browse/JRASERVER-70808, but I'll repeat it here in hopes to reach the right people.

            This Denial of Service issue has `bugbounty` label, which clearly indicates that t was reported to you via bugbounty.

            I've found DoS vulnerabilities in Jira and Confluence, which allow an unauthenticated attacker with just a single pc and average internet connection to take down entire servers.
            I tried reporting one of the vulnerabilities here, but it is marked as 'Out of scope' due to `No Load testing (DoS/DDoS etc) is allowed on the instance.` However, i have not sent a single request to Atlassian servers. All testing was done on my own server.

            I believe these findings are quite important to just ignore them like this.

            What is the proper way to get Denial of Service bugs triaged and delivered to you?

            Alexey Petrenok added a comment - Hello, Sorry for writing here, but it is quite hard to reach Atlassian employees responsible for bugbounty elsewhere. I already asked the same question in  https://jira.atlassian.com/browse/JRASERVER-70808 , but I'll repeat it here in hopes to reach the right people. This Denial of Service issue has `bugbounty` label, which clearly indicates that t was reported to you via bugbounty. I've found DoS vulnerabilities in Jira and Confluence, which allow an unauthenticated attacker with just a single pc and average internet connection to take down entire servers. I tried reporting one of the vulnerabilities here , but it is marked as 'Out of scope' due to `No Load testing (DoS/DDoS etc) is allowed on the instance.` However, i have not sent a single request to Atlassian servers. All testing was done on my own server. I believe these findings are quite important to just ignore them like this. What is the proper way to get Denial of Service bugs triaged and delivered to you?
            alexmin (Inactive) made changes -
            Labels Original: CVE-2020-14167 advisory advisory-to-release bugbounty cvss-high denial-of-service dos monsters security New: CVE-2020-14167 advisory advisory-released bugbounty cvss-high denial-of-service dos monsters security
            alexmin (Inactive) made changes -
            Security Original: Atlassian Staff [ 10750 ]
            alexmin (Inactive) made changes -
            Resolution New: Fixed [ 1 ]
            Status Original: Needs Triage [ 10030 ] New: Closed [ 6 ]
            alexmin (Inactive) made changes -
            Summary Original: Denial of service in Dashboard & Gadgets - CVE-PENDING New: Denial of service in Dashboard & Gadgets - CVE-2020-14167
            alexmin (Inactive) made changes -
            Labels Original: advisory advisory-to-release bugbounty cvss-high denial-of-service dos monsters security New: CVE-2020-14167 advisory advisory-to-release bugbounty cvss-high denial-of-service dos monsters security
            alexmin (Inactive) made changes -
            Description Original: Affected versions of Atlassian Jira Server and Data Center allow remote attackers to impact the application's availability via a Denial of Service (DoS) vulnerability in Dashboard & Gadgets.

            *Affected versions:*
             * version < 7.13.14
             * 7.14.0 ≤ version < 8.5.5
             * 8.6.0 ≤ version < 8.8.2
             * 8.9.0 ≤ version < 8.9.1

            *Fixed versions:*
             * 7.13.14
             * 8.5.5
             * 8.8.2
             * 8.9.1
             * 8.10.0             		New: Affected versions of Atlassian Jira Server and Data Center allow remote attackers to impact the application's availability via a Denial of Service (DoS) vulnerability in Dashboard & Gadgets.

            *Affected versions:*
             * version < 7.13.14
             * 8.5.0 ≤ version < 8.5.5
             * 8.8.0 ≤ version < 8.8.2
             * 8.9.0 ≤ version < 8.9.1

            *Fixed versions:*
             * 7.13.14
             * 8.5.5
             * 8.8.2
             * 8.9.1
             * 8.10.0

              Unassigned Unassigned
              security-metrics-bot Security Metrics Bot
              Affected customers:
              0 This affects my team
              Watchers:
              5 Start watching this issue

                Created:
                Updated:
                Resolved: