[JRASERVER-71388] Regex DoS via JQL version searching - CVE-2020-14177 - Create and track feature requests for Atlassian products.

Type: Bug
Resolution: Fixed
Priority: Low (View bug fix roadmap)
Fix Version/s: 8.12.0, 7.13.16, 8.5.7, 8.11.1, 8.10.2
Affects Version/s: 7.9.0, 8.9.0
Component/s: JQL
Labels:

Fixed in Long Term Support Release/s:

Download 7.13, 8.5
Introduced in Version:
7.09
Symptom Severity:
Severity 2 - Major
Bug Fix Policy:
View Atlassian Server bug fix policy

Affected versions of Atlassian Jira Server and Data Center allow remote attackers to impact the application's availability via a Regex-based Denial of Service (DoS) vulnerability in JQL version searching.

Affected versions:

version < 7.13.16
8.0.0 ≤ version < 8.5.7
8.6.0 ≤ version < 8.10.2
8.11.0 ≤ version < 8.11.1

Fixed versions:

7.13.16
8.5.7
8.10.2
8.11.1
8.12.0

Security Metrics Bot added a comment - 03/Aug/2020 10:38 PM

This is an independent assessment and you should evaluate its applicability to your own IT environment.
CVSS v3 score: 5.3 => Medium severity

Exploitability Metrics

Attack Vector	Network
Attack Complexity	High
Privileges Required	Low
User Interaction	None

Scope Metric

Scope	Unchanged

Impact Metrics

Confidentiality	None
Integrity	None
Availability	High

https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H

Security Metrics Bot added a comment - 03/Aug/2020 10:38 PM This is an independent assessment and you should evaluate its applicability to your own IT environment. CVSS v3 score: 5.3 => Medium severity Exploitability Metrics Attack Vector Network Attack Complexity High Privileges Required Low User Interaction None Scope Metric Scope Unchanged Impact Metrics Confidentiality None Integrity None Availability High https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H

Assignee:: Unassigned

Reporter:: Security Metrics Bot

Affected customers:: 0 This affects my team

Watchers:: 4 Start watching this issue

Created:: 03/Aug/2020 10:38 PM

Updated:: 19/Nov/2020 4:51 AM

Resolved:: 10/Aug/2020 6:18 PM

Jira Data Center

Details

Description

Attachments

Forms

Activity

[JRASERVER-71388] Regex DoS via JQL version searching - CVE-2020-14177

Collapse comment: Security Metrics Bot added a comment - 03/Aug/2020 10:38 PM

Expand comment: Security Metrics Bot added a comment - 03/Aug/2020 10:38 PM

People

Dates