Uploaded image for project: 'Jira Data Center'
  1. Jira Data Center
  2. JRASERVER-71204

SSRF in Dashboard & Gadgets - CVE-2019-20408

XMLWordPrintable

      The /plugins/servlet/gadgets/makeRequest resource in Jira before version 8.7.0 allows remote attackers to access the content of internal network resources via a Server Side Request Forgery (SSRF) vulnerability due to a logic bug in the JiraWhitelist class.

      As an example to indicate impact, when running the vulnerable version of Jira in an environment like Amazon EC2, this flaw may be used to access to a metadata resource that provides access credentials and other potentially confidential information.

      Affected versions:

      • version < 8.7.0

      Fixed versions:

      • 8.7.0

            [JRASERVER-71204] SSRF in Dashboard & Gadgets - CVE-2019-20408

            Faisal Shamim added a comment -

            Hi @Mateusz , has this been fixed for 8.5.3 ? 

            Faisal Shamim added a comment - Hi @Mateusz , has this been fixed for 8.5.3 ? 

            Mateusz Marzęcki added a comment - - edited

            Hi everyone, thank you for raising the concerns regarding the fixed versions, I've doubled check that and it turns out that the fix has been shipped within Jira 8.5.2, not Jira 8.5.0. Please accept my apologies for misleading you.

            I've updated the "fix version" field on the ticket to reflect the actual state.

            Thanks,

            Mateusz

            Mateusz Marzęcki added a comment - - edited Hi everyone, thank you for raising the concerns regarding the fixed versions, I've doubled check that and it turns out that the fix has been shipped within Jira 8.5.2, not Jira 8.5.0. Please accept my apologies for misleading you. I've updated the "fix version" field on the ticket to reflect the actual state. Thanks, Mateusz

            Jim Walsh added a comment -

            Still looking for confirmation on if/when this was fixed on 8.5.x.

            Release notes still say fixed in 8.5.0, but that was released 8 months before the CVE was created.  Assuming 8.5.9, but we need confirmation.

            I need this information to share with our security compliance team.

             

            Jim Walsh added a comment - Still looking for confirmation on if/when this was fixed on 8.5.x. Release notes still say fixed in 8.5.0, but that was released 8 months before the CVE was created.  Assuming 8.5.9, but we need confirmation. I need this information to share with our security compliance team.  

            Kimberly Deal added a comment -

            How is this introduced in 8.5 and also fixed in 8.5.0?

            Kimberly Deal added a comment - How is this introduced in 8.5 and also fixed in 8.5.0?

            Eric Yi added a comment -

            Would appreciate a confirmation as well. 

            Eric Yi added a comment - Would appreciate a confirmation as well. 

            Jim Walsh added a comment -

            I assume fix version is actually 8.5.9.  Please confirm

            Jim Walsh added a comment - I assume fix version is actually 8.5.9.  Please confirm

            Jim Walsh added a comment -

            8.5 LTS needs this back ported.  We can't expect to upgrade minor versions every 60-90 days.

            What makes this a less-than-critical vulnerability?

            Jim Walsh added a comment - 8.5 LTS needs this back ported.  We can't expect to upgrade minor versions every 60-90 days. What makes this a less-than-critical vulnerability?

            Eric Yi added a comment -

            I also need to know if this will be fixed in an LTS release (8.5.x).

            Eric Yi added a comment - I also need to know if this will be fixed in an LTS release (8.5.x).

            Security Operations added a comment -

            Will this issue be fixed in 8.5.x ? Thank you.
            I see the issue is closed, jus but would like to know if there is a plan to provide a fix for the LTS release.

            Security Operations added a comment - Will this issue be fixed in 8.5.x ? Thank you. I see the issue is closed, jus but would like to know if there is a plan to provide a fix for the LTS release.

            Security Metrics Bot added a comment -

            This is an independent assessment and you should evaluate its applicability to your own IT environment.
            CVSS v3 score: 7.2 => High severity

            Exploitability Metrics

            Attack Vector Network
            Attack Complexity Low
            Privileges Required None
            User Interaction None

            Scope Metric

            Scope Changed

            Impact Metrics

            Confidentiality Low
            Integrity Low
            Availability None

            https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

            Security Metrics Bot added a comment - This is an independent assessment and you should evaluate its applicability to your own IT environment. CVSS v3 score: 7.2 => High severity Exploitability Metrics Attack Vector Network Attack Complexity Low Privileges Required None User Interaction None Scope Metric Scope Changed Impact Metrics Confidentiality Low Integrity Low Availability None https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

              mmarzecki Mateusz Marzęcki
              security-metrics-bot Security Metrics Bot
              Affected customers:
              0 This affects my team
              Watchers:
              18 Start watching this issue

                Created:
                Updated:
                Resolved: