Uploaded image for project: 'Jira Data Center'
  1. Jira Data Center
  2. JRASERVER-71204

SSRF in Dashboard & Gadgets - CVE-2019-20408

XMLWordPrintable

      The /plugins/servlet/gadgets/makeRequest resource in Jira before version 8.7.0 allows remote attackers to access the content of internal network resources via a Server Side Request Forgery (SSRF) vulnerability due to a logic bug in the JiraWhitelist class.

      As an example to indicate impact, when running the vulnerable version of Jira in an environment like Amazon EC2, this flaw may be used to access to a metadata resource that provides access credentials and other potentially confidential information.

      Affected versions:

      • version < 8.7.0

      Fixed versions:

      • 8.7.0

            [JRASERVER-71204] SSRF in Dashboard & Gadgets - CVE-2019-20408

            Faisal Shamim added a comment -

            Hi @Mateusz , has this been fixed for 8.5.3 ? 

            Faisal Shamim added a comment - Hi @Mateusz , has this been fixed for 8.5.3 ? 

            Mateusz Marzęcki added a comment - - edited

            Hi everyone, thank you for raising the concerns regarding the fixed versions, I've doubled check that and it turns out that the fix has been shipped within Jira 8.5.2, not Jira 8.5.0. Please accept my apologies for misleading you.

            I've updated the "fix version" field on the ticket to reflect the actual state.

            Thanks,

            Mateusz

            Mateusz Marzęcki added a comment - - edited Hi everyone, thank you for raising the concerns regarding the fixed versions, I've doubled check that and it turns out that the fix has been shipped within Jira 8.5.2, not Jira 8.5.0. Please accept my apologies for misleading you. I've updated the "fix version" field on the ticket to reflect the actual state. Thanks, Mateusz
            Mateusz Marzęcki made changes -
            Assignee New: Mateusz Marzęcki [ mmarzecki ]
            Mateusz Marzęcki made changes -
            Fix Version/s New: 8.5.2 [ 89500 ]
            Fix Version/s Original: 8.5.0 [ 87493 ]

            Jim Walsh added a comment -

            Still looking for confirmation on if/when this was fixed on 8.5.x.

            Release notes still say fixed in 8.5.0, but that was released 8 months before the CVE was created.  Assuming 8.5.9, but we need confirmation.

            I need this information to share with our security compliance team.

             

            Jim Walsh added a comment - Still looking for confirmation on if/when this was fixed on 8.5.x. Release notes still say fixed in 8.5.0, but that was released 8 months before the CVE was created.  Assuming 8.5.9, but we need confirmation. I need this information to share with our security compliance team.  

            Kimberly Deal added a comment -

            How is this introduced in 8.5 and also fixed in 8.5.0?

            Kimberly Deal added a comment - How is this introduced in 8.5 and also fixed in 8.5.0?

            Eric Yi added a comment -

            Would appreciate a confirmation as well. 

            Eric Yi added a comment - Would appreciate a confirmation as well. 
            Mark Lang made changes -
            Remote Link New: This issue links to "Page (Confluence)" [ 509302 ]

            Jim Walsh added a comment -

            I assume fix version is actually 8.5.9.  Please confirm

            Jim Walsh added a comment - I assume fix version is actually 8.5.9.  Please confirm
            set-jac-bot made changes -
            Fixed in Long Term Support Release/s New: [Download 8.5|https://confluence.atlassian.com/enterprise/atlassian-enterprise-releases-948227420.html]

              mmarzecki Mateusz Marzęcki
              security-metrics-bot Security Metrics Bot
              Affected customers:
              0 This affects my team
              Watchers:
              18 Start watching this issue

                Created:
                Updated:
                Resolved: