-
Public Security Vulnerability
-
Resolution: Fixed
-
Low (View bug fix roadmap)
-
8.13.12, 8.20.0
-
None
-
7.1
-
High
-
CVE-2021-42574
Researchers at the University of Cambridge reported a vulnerability affecting Jira Server / DC where special characters, known as Unicode bidirectional override characters, are not rendered or displayed in the affected applications. These special characters are typically not displayed by the browser or code editors but can affect the meaning of the source code when it is processed by a compiler or an interpreter. The issue is now fixed.
Affected versions:
- All versions before 8.13.13
- All versions between 8.14.0 and 8.19.1 (inclusive)
- All 8.20.x LTS versions before 8.20.1
Fixed versions:
- 8.13.13
- 8.20.1
[JRASERVER-72978] Unicode characters allow malicious code to be hidden from a human reviewer (Jira Server) - CVE-2021-42574
In your opinion, did the upgrade completely or partially mitigated the actual vulnerability.
Would be happy to do so. But when I click on Attachments, the icon disappears!
@Lars Klein - Please try to upload the image again. We would really to know more on this and take a call upon it.
Is it correct that the fix is ONLY for Code Snippet content?
Both lines have same content! Only for the second line the warning is given.
That means if code is copied as normal text and not within a code snippet, there is no warning!?!
(Edit: Sorry upload image with not possible...)
During Jira upgradation to latest version 8.20.1 , it has started asking to install python-consul module. Is it pre reqs that need to perform before starting installation?
can this vulnerability only be exploited if you are logged in to the system
or can it be done completely without logging in?
There are SDK changes in the 8.20.1 version from 8.6.x
also there seems to be a typo in the supported version mentioned for Jira
https://marketplace.atlassian.com/apps/1210991/atlassian-plugin-sdk-rpm/version-history
Please advise how to check the intensity for the same.
Agree!! We need to have an alternate solution and upgrade cannot be done right away!!
Will a workaround be provided for client where version upgrade is not an option at this time, or can this be mitigated in any other way?
This is an independent assessment and you should evaluate its applicability to your own IT environment.
CVSS v3 score: 7.1 => High severity
Exploitability Metrics
| Attack Vector | Network |
|---|---|
| Attack Complexity | Low |
| Privileges Required | None |
| User Interaction | Required |
Scope Metric
| Scope | Changed |
|---|
Impact Metrics
| Confidentiality | Low |
|---|---|
| Integrity | Low |
| Availability | Low |
See http://go.atlassian.com/cvss for more details.
https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Copy & Paste was my inital try...
No, I would not rate that as fixed. There can be normal text which includes the special chars. And as there is no indication for hidden bidi chars, a copy & paste will bring there somewhere eles where they might have an effect. It should be not only inidcated in Code Snippet parts like:
// here come the code where then is an <U+202E> indication <U+2066>And same code as normal text will not show these then (but contains it)
// here come the code where then is an indication