• Type: Bug
• Resolution: Fixed
• Priority: Low (View bug fix roadmap)
• Fix Version/s: 8.12.3, 8.5.9, 8.13.1, 8.14.0
• Affects Version/s: 8.4.2, 8.10.0
• Component/s: User Management - Others
• Labels:

  • CVE-2020-14184
  • advisory
  • cvss-medium
  • impossible-to-resolve-in-vf
  • security
  • security-imported
  • xss

[JRASERVER-71652] XSS in Jira issue filter export file via malicious full name - CVE-2020-14184

Collapse comment: Russell Berry added a comment - 28/Oct/2020 4:05 PM

Russell Berry added a comment - 28/Oct/2020 4:05 PM

Both Tenable and Qualys are flagging Jira for this CVE. A fixed version is still not available.

Expand comment: Russell Berry added a comment - 28/Oct/2020 4:05 PM

Russell Berry added a comment - 28/Oct/2020 4:05 PM Both Tenable and Qualys are flagging Jira for this CVE. A fixed version is still not available.

Collapse comment: Russell Berry added a comment - 26/Oct/2020 2:31 PM

Russell Berry added a comment - 26/Oct/2020 2:31 PM

Where do I get the fixed version 8.13.1? It is not available from https://www.atlassian.com/software/jira/download.

This link https://product-downloads.atlassian.com/software/jira/downloads/atlassian-jira-software-8.13.1.tar.gz also fails.

wget https://product-downloads.atlassian.com/software/jira/downloads/atlassian-jira-software-8.13.1.tar.gz
-2020-10-26 10:29:18- https://product-downloads.atlassian.com/software/jira/downloads/atlassian-jira-software-8.13.1.tar.gz
Resolving product-downloads.atlassian.com (product-downloads.atlassian.com)... 13.226.100.167, 2600:9000:21f9:bc00:1f:ab86:b4a:17e1, 2600:9000:21f9:ce00:1f:ab86:b4a:17e1, ...
Connecting to product-downloads.atlassian.com (product-downloads.atlassian.com)|13.226.100.167|:443... connected.
HTTP request sent, awaiting response... 403 Forbidden
2020-10-26 10:29:18 ERROR 403: Forbidden.

Expand comment: Russell Berry added a comment - 26/Oct/2020 2:31 PM

Russell Berry added a comment - 26/Oct/2020 2:31 PM Where do I get the fixed version 8.13.1? It is not available from https://www.atlassian.com/software/jira/download. This link https://product-downloads.atlassian.com/software/jira/downloads/atlassian-jira-software-8.13.1.tar.gz also fails. wget https://product-downloads.atlassian.com/software/jira/downloads/atlassian-jira-software-8.13.1.tar.gz - 2020-10-26 10:29:18 - https://product-downloads.atlassian.com/software/jira/downloads/atlassian-jira-software-8.13.1.tar.gz Resolving product-downloads.atlassian.com (product-downloads.atlassian.com)... 13.226.100.167, 2600:9000:21f9:bc00:1f:ab86:b4a:17e1, 2600:9000:21f9:ce00:1f:ab86:b4a:17e1, ... Connecting to product-downloads.atlassian.com (product-downloads.atlassian.com)|13.226.100.167|:443... connected. HTTP request sent, awaiting response... 403 Forbidden 2020-10-26 10:29:18 ERROR 403: Forbidden.

Collapse comment: AB added a comment - 06/Oct/2020 11:08 PM

AB added a comment - 06/Oct/2020 11:08 PM

This is an independent assessment and you should evaluate its applicability to your own IT environment.

CVSS v3 score: 5.4 => Medium severity

Exploitability Metrics

Attack Vector	Network
Attack Complexity	Low
Privileges Required	Low
User Interaction	Required

Scope Metric

Scope	Changed

Impact Metrics

Confidentiality	Low
Integrity	Low
Availability	None

https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Expand comment: AB added a comment - 06/Oct/2020 11:08 PM

AB added a comment - 06/Oct/2020 11:08 PM This is an independent assessment and you should evaluate its applicability to your own IT environment. CVSS v3 score: 5.4 => Medium severity Exploitability Metrics Attack Vector Network Attack Complexity Low Privileges Required Low User Interaction Required Scope Metric Scope Changed Impact Metrics Confidentiality Low Integrity Low Availability None https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N