Uploaded image for project: 'Jira Service Management Data Center'
  1. Jira Service Management Data Center
  2. JSDSERVER-10843

Unicode characters allow malicious code to be hidden from a human reviewer (JSM Server & Insight asset management App) - CVE-2021-42574

XMLWordPrintable

    • 7.1
    • High
    • CVE-2021-42574

      Researchers at the University of Cambridge reported a vulnerability affecting Jira Service Management Server / DC (and Insight Asset Management app) where special characters, known as Unicode bidirectional override characters, are not rendered or displayed in the affected applications. These special characters are typically not displayed by the browser or code editors but can affect the meaning of the source code when it is processed by a compiler or an interpreter. The issue is now fixed.

      Affected versions:

      • Jira Service Management Server and Data Center
        • All versions before 4.13.13
        • All versions between 4.14.0 and 4.19.1 (inclusive)
        • All 4.20.x LTS versions before 4.20.1
      • Insight Asset Management (Marketplace app for Jira Service Management)
        • All versions before 8.9.4

      Fixed versions:

      • Jira Service Management Server and Data Center
        • 4.13.13
        • 4.20.1
      • Insight Asset Management (Marketplace app for Jira Service Management)
        • 8.9.4

            [JSDSERVER-10843] Unicode characters allow malicious code to be hidden from a human reviewer (JSM Server & Insight asset management App) - CVE-2021-42574

            Yasmine added a comment -

            This is an independent assessment and you should evaluate its applicability to your own IT environment.

            CVSS v3 score: 7.1 => High severity

            Exploitability Metrics

            Attack Vector Network
            Attack Complexity Low
            Privileges Required None
            User Interaction Required

            Scope Metric

            Scope Changed

            Impact Metrics

            Confidentiality Low
            Integrity Low
            Availability Low

            See http://go.atlassian.com/cvss for more details.

            https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

            Yasmine added a comment - This is an independent assessment and you should evaluate its applicability to your own IT environment. CVSS v3 score: 7.1 => High severity Exploitability Metrics Attack Vector Network Attack Complexity Low Privileges Required None User Interaction Required Scope Metric Scope Changed Impact Metrics Confidentiality Low Integrity Low Availability Low See http://go.atlassian.com/cvss for more details. https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

              Unassigned Unassigned
              security-metrics-bot Security Metrics Bot
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Created:
                Updated:
                Resolved: