Uploaded image for project: 'Jira Data Center'
  1. Jira Data Center
  2. JRASERVER-72978

Unicode characters allow malicious code to be hidden from a human reviewer (Jira Server) - CVE-2021-42574

XMLWordPrintable

    • 7.1
    • High
    • CVE-2021-42574

      Researchers at the University of Cambridge reported a vulnerability affecting Jira Server / DC where special characters, known as Unicode bidirectional override characters, are not rendered or displayed in the affected applications. These special characters are typically not displayed by the browser or code editors but can affect the meaning of the source code when it is processed by a compiler or an interpreter. The issue is now fixed.

      Affected versions:

      • All versions before 8.13.13
      • All versions between 8.14.0 and 8.19.1 (inclusive)
      • All 8.20.x LTS versions before 8.20.1

      Fixed versions:

      • 8.13.13
      • 8.20.1

       

            [JRASERVER-72978] Unicode characters allow malicious code to be hidden from a human reviewer (Jira Server) - CVE-2021-42574

            Lars Klein added a comment -

            Copy & Paste was my inital try...

            No, I would not rate that as fixed. There can be normal text which includes the special chars. And as there is no indication for hidden bidi chars, a copy & paste will bring there somewhere eles where they might have an effect. It should be not only inidcated in Code Snippet parts like:

            // here come the code where then is an <U+202E> indication <U+2066>

            And same code as normal text will not show these then (but contains it)

            // here come the code where then is an indication

            Lars Klein added a comment - Copy & Paste was my inital try... No, I would not rate that as fixed. There can be normal text which includes the special chars. And as there is no indication for hidden bidi chars, a copy & paste will bring there somewhere eles where they might have an effect. It should be not only inidcated in Code Snippet parts like: // here come the code where then is an <U+202E> indication <U+2066> And same code as normal text will not show these then (but contains it) // here come the code where then is an indication

            Nikhil added a comment -

            In your opinion, did the upgrade completely or partially mitigated the actual vulnerability.

             

             

            Nikhil added a comment - In your opinion, did the upgrade completely or partially mitigated the actual vulnerability.    

            Nikhil added a comment -

            @Lars

            Copy paste won't work?

            Nikhil added a comment - @Lars Copy paste won't work?

            Lars Klein added a comment -

            Would be happy to do so. But when I click on Attachments, the icon disappears!

            Lars Klein added a comment - Would be happy to do so. But when I click on Attachments, the icon disappears!

            Nikhil added a comment -

            @Lars Klein - Please try to upload the image again. We would really to know more on this and take a call upon it.

            Nikhil added a comment - @Lars Klein - Please try to upload the image again. We would really to know more on this and take a call upon it.

            Lars Klein added a comment - - edited

            Is it correct that the fix is ONLY for Code Snippet content?

            Both lines have same content! Only for the second line the warning is given.

            That means if code is copied as normal text and not within a code snippet, there is no warning!?!

            (Edit: Sorry upload image with not possible...)

            Lars Klein added a comment - - edited Is it correct that the fix is ONLY for Code Snippet content? Both lines have same content! Only for the second line the warning is given. That means if code is copied as normal text and not within a code snippet, there is no warning!?! (Edit: Sorry upload image with not possible...)

            Ishan Hassija added a comment -

            During Jira upgradation to latest version 8.20.1 , it has started asking to install python-consul module. Is it pre reqs that need to perform before starting installation?

            Ishan Hassija added a comment - During Jira upgradation to latest version 8.20.1 , it has started asking to install python-consul module. Is it pre reqs that need to perform before starting installation?

            Ashish K added a comment - - edited

            More info on this :

            https://confluence.atlassian.com/kb/faq-for-cve-2021-42574-1093014910.html

            Ashish K added a comment - - edited More info on this : https://confluence.atlassian.com/kb/faq-for-cve-2021-42574-1093014910.html

            MM added a comment -

             

            can this vulnerability only be exploited if you are logged in to the system
            or can it be done completely without logging in?

             

            MM added a comment -   can this vulnerability only be exploited if you are logged in to the system or can it be done completely without logging in?  

            Zuheb Khan added a comment - - edited

            There are SDK changes in the 8.20.1 version from 8.6.x
            also there seems to be a typo in the supported version mentioned for Jira
            https://marketplace.atlassian.com/apps/1210991/atlassian-plugin-sdk-rpm/version-history
            Please advise how to check the intensity for the same.

            Zuheb Khan added a comment - - edited There are SDK changes in the 8.20.1 version from 8.6.x also there seems to be a typo in the supported version mentioned for Jira https://marketplace.atlassian.com/apps/1210991/atlassian-plugin-sdk-rpm/version-history Please advise how to check the intensity for the same.

              Unassigned Unassigned
              security-metrics-bot Security Metrics Bot
              Votes:
              0 Vote for this issue
              Watchers:
              17 Start watching this issue

                Created:
                Updated:
                Resolved: