[JRASERVER-77713] Information Disclosure in Jira Core Data Center

Type: Public Security Vulnerability
Resolution: Fixed
Priority: High (View bug fix roadmap)
Fix Version/s: 9.16.0, 9.4.21, 9.12.8
Affects Version/s: 9.4.0, 9.12.0, 9.15.0
Component/s: Security
Labels:

CVSS Score:
7.4
CVSS Severity:
High
CVE ID:
CVE-2024-21685
Vulnerability Source:
Atlassian (Internal)
CVSSv3 Vector:
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N
Vulnerability Classes:

Information Disclosure
Affected Product(s):

Jira Core Data Center

This High severity Information Disclosure vulnerability was introduced in versions 9.4.0, 9.12.0, and 9.15.0 of Jira Core Data Center.

This Information Disclosure vulnerability, with a CVSS Score of 7.4, allows an unauthenticated attacker to view sensitive information via an Information Disclosure vulnerability which has high impact to confidentiality, no impact to integrity, no impact to availability, and requires user interaction.

Atlassian recommends that Jira Core customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions:

Data Center

Affected versions	Fixed versions
from 9.15.0 to 9.15.2	9.16.0
from 9.14.0 to 9.14.1	9.16.0
from 9.13.0 to 9.13.1	9.16.0
from 9.12.0 to 9.12.7 LTS	9.16.0 or 9.12.8 LTS recommended
from 9.11.0 to 9.11.3	9.16.0 or 9.12.8 LTS recommended
from 9.10.0 to 9.10.2	9.16.0 or 9.12.8 LTS recommended
from 9.9.0 to 9.9.2	9.16.0 or 9.12.8 LTS recommended
from 9.8.0 to 9.8.2	9.16.0 or 9.12.8 LTS recommended
from 9.7.0 to 9.7.2	9.16.0 or 9.12.8 LTS recommended
from 9.6.0 to 9.6.2	9.16.0 or 9.12.8 LTS recommended
from 9.5.0 to 9.5.1	9.16.0 or 9.12.8 LTS recommended
from 9.4.0 to 9.4.20 LTS	9.16.0 or 9.4.21 LTS or 9.12.8 LTS recommended
from 9.3.0 to 9.3.3	9.16.0 or 9.4.21 LTS or 9.12.8 LTS recommended
from 9.2.0 to 9.2.1	9.16.0 or 9.4.21 LTS or 9.12.8 LTS recommended
from 9.1.0 to 9.1.1	9.16.0 or 9.4.21 LTS or 9.12.8 LTS recommended
9.0.0	9.16.0 or 9.4.21 LTS or 9.12.8 LTS recommended
Any earlier versions	9.16.0 or 9.4.21 LTS or 9.12.8 LTS recommended

Server

Affected versions	Fixed versions
from 9.12.0 to 9.12.7 LTS	9.12.8 LTS recommended
from 9.11.0 to 9.11.3	9.12.8 LTS recommended
from 9.10.0 to 9.10.2	9.12.8 LTS recommended
from 9.9.0 to 9.9.2	9.12.8 LTS recommended
from 9.8.0 to 9.8.2	9.12.8 LTS recommended
from 9.7.0 to 9.7.2	9.12.8 LTS recommended
from 9.6.0 to 9.6.2	9.12.8 LTS recommended
from 9.5.0 to 9.5.1	9.12.8 LTS recommended
from 9.4.0 to 9.4.20 LTS	9.4.21 LTS or 9.12.8 LTS recommended
from 9.3.0 to 9.3.3	9.4.21 LTS or 9.12.8 LTS recommended
from 9.2.0 to 9.2.1	9.4.21 LTS or 9.12.8 LTS recommended
from 9.1.0 to 9.1.1	9.4.21 LTS or 9.12.8 LTS recommended
9.0.0	9.4.21 LTS or 9.12.8 LTS recommended
Any earlier versions	9.4.21 LTS or 9.12.8 LTS recommended

See the release notes. You can download the latest version of Jira Core Data Center from the download center.

This vulnerability was found internally.

Stefano Coletta added a comment - 25/Jun/2024 8:56 AM

By reading the Security Bulletin - June 18 2024 it seems Jira DC 9.13.1 is not affected while I can read that it is affected by looking at the table in the description of this issue, 3rd line:

from 9.13.0 to 9.13.1

9.16.0

Which is the correct information?

Can you please re-check the published information?

Stefano Coletta added a comment - 25/Jun/2024 8:56 AM By reading the Security Bulletin - June 18 2024 it seems Jira DC 9.13.1 is not affected while I can read that it is affected by looking at the table in the description of this issue, 3rd line: from 9.13.0 to 9.13.1 9.16.0 Which is the correct information? Can you please re-check the published information?

Andreas Berge added a comment - 20/Jun/2024 12:22 PM

69f4c7b053d7 Data Center versions "from 9.4.0 to 9.4.20 LTS" are affected, i.e. 9.4.3 is affected.

Andreas Berge added a comment - 20/Jun/2024 12:22 PM 69f4c7b053d7 Data Center versions "from 9.4.0 to 9.4.20 LTS" are affected, i.e. 9.4.3 is affected.

Roman Yudakov added a comment - 20/Jun/2024 11:21 AM

Did I understand correctly that version 9.4.3 of the data center is not affected?

Roman Yudakov added a comment - 20/Jun/2024 11:21 AM Did I understand correctly that version 9.4.3 of the data center is not affected?

Andreas Berge added a comment - 19/Jun/2024 3:42 PM - edited

I am confused, too.

The vulnerability is in Jira Core and it was introduced in versions 9.4.0, 9.12.0, and 9.15.0. Theese are also the affected versions according to the field. But later in the description other affected versions are listed in the table. This can be summarized with "all older versions except for the fixed versions are affected".

Also the API claims the older versions (I tested it for 9.1.0 and 9.3.3) to be affected.

It is ok, that the (very) old non-LTS versions are not listed in the affected versions field. But saying "was introduced in" means IMHO, that it does not exist in aner earlier versions.

Another question is, if the vulnerability exists in Jira Software, too. I would guess, that this is the case, because Jira Core is the foundation of Jira Software and Jira Service Management. But that does not match the results of the API. While other CVE that are listed Jira Core are also listed in Jira Software (e.g. CVE-2022-1471 for 9.1.0), CVE-2024-21685 are only listed in Jira Core but not in Jira Software. And only if I explicitly asked for Jira Core Data Center and not for Jira Software Data Center.

Andreas Berge added a comment - 19/Jun/2024 3:42 PM - edited I am confused, too. The vulnerability is in Jira Core and it was introduced in versions 9.4.0, 9.12.0, and 9.15.0. Theese are also the affected versions according to the field. But later in the description other affected versions are listed in the table. This can be summarized with "all older versions except for the fixed versions are affected". Also the API claims the older versions (I tested it for 9.1.0 and 9.3.3) to be affected. It is ok, that the (very) old non-LTS versions are not listed in the affected versions field. But saying "was introduced in" means IMHO, that it does not exist in aner earlier versions. Another question is, if the vulnerability exists in Jira Software , too. I would guess, that this is the case, because Jira Core is the foundation of Jira Software and Jira Service Management . But that does not match the results of the API. While other CVE that are listed Jira Core are also listed in Jira Software (e.g. CVE-2022-1471 for 9.1.0), CVE-2024-21685 are only listed in Jira Core but not in Jira Software . And only if I explicitly asked for Jira Core Data Center and not for Jira Software Data Center .

Maxime Boyer added a comment - 19/Jun/2024 2:29 PM

Yes, this impacts Jira Core and Jira Software (Server and Data Center licenses). See the Jira Software release notes.

If I read properly, any version before 9.4.21 LTS, 9.12.8 LTS and 9.16.0 are vulnerable.

Maxime Boyer added a comment - 19/Jun/2024 2:29 PM Yes, this impacts Jira Core and Jira Software (Server and Data Center licenses). See the Jira Software release notes . If I read properly, any version before 9.4.21 LTS, 9.12.8 LTS and 9.16.0 are vulnerable.

T.CON GmbH & Co. KG added a comment - 19/Jun/2024 7:08 AM - edited

Also a bit confusion for us: are Server Versions (Jira Core Server) also affected or only DataCenter?

T.CON GmbH & Co. KG added a comment - 19/Jun/2024 7:08 AM - edited Also a bit confusion for us: are Server Versions (Jira Core Server) also affected or only DataCenter?

Thomas Clemens added a comment - 19/Jun/2024 6:09 AM

There is a bit of confusion for us if we are affected. Are only Core Licenses affected, or does this also concern us if we user Jira Software?

Thomas Clemens added a comment - 19/Jun/2024 6:09 AM There is a bit of confusion for us if we are affected. Are only Core Licenses affected, or does this also concern us if we user Jira Software?

Assignee:: Unassigned

Reporter:: Security Metrics Bot

Votes:: 0 Vote for this issue

Watchers:: 15 Start watching this issue

Created:: 14/May/2024 11:15 PM

Updated:: 25/Jun/2024 8:56 AM

Resolved:: 18/Jun/2024 5:00 PM

Details

Description

Attachments

Forms

Activity

Collapse comment: Stefano Coletta added a comment - 25/Jun/2024 8:56 AM

Expand comment: Stefano Coletta added a comment - 25/Jun/2024 8:56 AM

Collapse comment: Andreas Berge added a comment - 20/Jun/2024 12:22 PM

Expand comment: Andreas Berge added a comment - 20/Jun/2024 12:22 PM

Collapse comment: Roman Yudakov added a comment - 20/Jun/2024 11:21 AM

Expand comment: Roman Yudakov added a comment - 20/Jun/2024 11:21 AM

Collapse comment: Andreas Berge added a comment - 19/Jun/2024 3:42 PM, Edited by Andreas Berge - 19/Jun/2024 3:53 PM

Expand comment: Andreas Berge added a comment - 19/Jun/2024 3:42 PM, Edited by Andreas Berge - 19/Jun/2024 3:53 PM

Collapse comment: Maxime Boyer added a comment - 19/Jun/2024 2:29 PM

Expand comment: Maxime Boyer added a comment - 19/Jun/2024 2:29 PM

Collapse comment: T.CON GmbH & Co. KG added a comment - 19/Jun/2024 7:08 AM, Edited by T.CON GmbH & Co. KG - 19/Jun/2024 7:10 AM

Expand comment: T.CON GmbH & Co. KG added a comment - 19/Jun/2024 7:08 AM, Edited by T.CON GmbH & Co. KG - 19/Jun/2024 7:10 AM

Collapse comment: Thomas Clemens added a comment - 19/Jun/2024 6:09 AM

Expand comment: Thomas Clemens added a comment - 19/Jun/2024 6:09 AM

People

Dates