Uploaded image for project: 'Jira Server and Data Center'
  1. Jira Server and Data Center
  2. JRASERVER-72025

Jira bundles a vulnerable version of atlassian-gadgets - CVE-2020-36232

    XMLWordPrintable

    Details

    • CVSS Score:
      5
    • CVSS Severity:
      Medium

      Description

      The atlassian-gadgets plugin used in affected versions of Atlassian Jira Server and Data Center allows unexpected DNS lookups and requests to malicious servers via server side request forgery vulnerability. 

      The affected versions are before version 8.5.10, from version 8.5.11 to version 8.13.2, from version 8.13.3 to version 8.14.1, and before version 8.15.0.

      Affected versions:

      • version < 8.5.10
      • 8.5.11 ≤ version < 8.13.2
      • 8.13.3 ≤ version < 8.14.1
      • version ≤ 8.15.0

      Fixed versions:

      • 8.5.10
      • 8.13.2
      • 8.14.1
      • 8.15.0

       See https://ecosystem.atlassian.net/browse/AG-1532 for further details and or below -

      Additional details from https://ecosystem.atlassian.net/browse/AG-1532 -

      The MessageBundleWhiteList class of atlassian-gadgets before version 4.2.37, from version 4.3.0 before 4.3.14, from version 4.3.2.0 before 4.3.2.4, from version 4.4.0 before 4.4.12, and from version 5.0.0 before 5.0.1 allowed unexpected DNS lookups and requests to arbitrary services as it incorrectly obtained application base url information from the executing http request which could be attacker controlled.

      The following versions of atlassian-gadgets are affected:

      • Versions before 4.2.37
      • Versions from 4.3.0 before 4.3.14
      • Versions from 4.3.2.0 before 4.3.2.4
      • Versions from 4.4.0 before 4.4.12
      • Version 5.0.0

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              Unassigned Unassigned
              Reporter:
              security-metrics-bot Security Metrics Bot
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: