-
Bug
-
Resolution: Fixed
-
Medium (View bug fix roadmap)
-
8.13.10, 9.4.0, 9.4.9
-
8.13
-
3
-
Severity 2 - Major
-
3
-
We have found during testing that by sending a fake header with a domain name (supplying as a suffix (i.e. attack.eu)) into the Host header field, the web server processes the input to send the request to an attacker-controlled host that resides at the supplied domain, and not to an internal virtual host that resides on the web server.
Affected versions:
- 8.13.10
Earlier fixed versions:
- 7.13.16
- 8.5.7
- 8.9.2
- 8.10.1
- 8.11.0
- is cloned from
-
-
- Closed
-
- followed by
-
SEF-15650 You do not have permission to view this issue
[JRASERVER-73811] IDOR (Insecure direct object references) in Jira 8.13.10
Hi b857b614d2c4,
Thanks for sharing you've found issue in our current supported version Jira 8.20.14 as well. There seems to a mix of information on our end regarding this reported bug. We'd like to gather additional information from our customer and would appreciate if we can work together towards a resolution. In moving forward, you may consider the following options:
(1) You have a chance to earn a monetary reward by reporting this security bug in our Bug Bounty on Bugcrowd. If we can confirm that the bug exists within our product and it's within the scope of our program, you'll earn a bounty reward. The bounty is here: https://bugcrowd.com/atlassian
(2) Otherwise, you may log a new report with us at https://support.atlassian.com/contact/ , although you won't be able to earn a bounty reward for the report.
Thank you,
Zul
Atlassian Support
Hi @Karol Skwierawski
Jira server version 8.20.14 also has this vulnerability.
Hello
Could you please provide an update on the same whether any team was able to assign this medium priority issue and work on it, when could he expect a solution for the same ?
since this ticket hasn't been updated to reflect progress!!
Hi Team,
Kindly update on the issue as its been pending for long.
Regards,
Nitin
Hi Karol.
Thanks for taking this into priority as vulnerability we would appreciate a resolution or workaround for the same.
Please keep the thread posted with updates as you go.
Best Regards
Zuheb Khan
b857b614d2c4 Hi sorry for no reply but i was on leave, this issue has been imported into vulnerability funnel with priority medium, and waits for one of the teams to take care of it. If there is any progress you will see it in this ticket
Hi @Karol Skwierawski
Could you please update us on this bug, I see it being a sev -2 without any action.
If there isn't any progress on this one kindly let us know when can we have an expected update/progress.
Could you please let us know of the update on this vulnerability ?
And the version we should upgrade to to fix it !
We are still facing the issue, however, we have upgraded our Jira to 9.4.9v , when are we going to have a fix for this one ?