Uploaded image for project: 'Jira Service Management Data Center'
  1. Jira Service Management Data Center
  2. JSDSERVER-14401

XXE (XML External Entity Injection) in Jira Service Management Data Center and Server - CVE-2019-13990

XMLWordPrintable

    • Icon: Public Security Vulnerability Public Security Vulnerability
    • Resolution: Fixed
    • Icon: Highest Highest
    • 5.7.2, 5.8.2, 5.9.2, 5.10.1, 5.4.10, 4.20.26
    • 4.20.0, 4.21.0, 4.20.1, 4.20.2, 4.20.3, 4.21.1, 4.20.4, 4.20.5, 4.20.6, 4.21.2, 4.20.7, 4.20.8, 4.20.9, 4.20.10, 4.20.11, 4.20.12, 4.20.13, 4.20.14, 5.4.0, 4.20.15, 5.4.1, 4.20.16, 5.5.1, 4.20.17, 5.4.2, 5.6.0, 5.4.3, 4.20.18, 5.7.0, 4.20.19, 5.4.4, 5.8.0, 4.20.20, 5.7.1, 4.20.21, 5.4.5, 4.20.22, 5.4.6, 5.8.1, 5.9.0, 4.20.23, 5.4.7, 4.20.24, 5.4.8, 5.10.0, 4.20.25, 5.4.9
    • None
    • 9.8
    • Critical
    • CVE-2019-13990
    • Atlassian (Internal)
    • CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    • XXE (XML External Entity Injection)
    • Jira Service Management Data Center, Jira Service Management Server

      Summary of Vulnerability

      Certain versions of Jira Service Management Server & Data Center were affected by CVE-2019-13990. The affected versions contained vulnerable versions of Terracotta Quartz Scheduler which allowed authenticated attackers to initiate an XML External Entity injection attack using job descriptions.

      Atlassian has committed to issuing critical advisories based on the NVD vulnerability score, in this case the CVSS for this third party CVE is critical (9.8), but this score doesn’t always account for the context in which a vulnerable component is used in our software. Unauthenticated attackers without local access to the system are unable to exploit this vulnerability. As such, our internal assessment of this vulnerability is scored as high severity.

      This critical severity XXE (XML External Entity Injection) vulnerability known as CVE-2019-13990 affects versions including and after 4.20.0 of Jira Service Management Data Center and Server. Versions outside of the support window (i.e. versions that have reached End of Life) may also be affected, so Atlassian recommends you upgrade to a fixed LTS version or later.

      Affected Versions

      Product Affected Versions
      Jira Service Management Data Center
      Jira Service Management Server
      • 4.20.0
      • 4.20.1
      • 4.20.2
      • 4.20.3
      • 4.20.4
      • 4.20.5
      • 4.20.6
      • 4.20.7
      • 4.20.8
      • 4.20.9
      • 4.20.10
      • 4.20.11
      • 4.20.12
      • 4.20.13
      • 4.20.14
      • 4.20.15
      • 4.20.16
      • 4.20.17
      • 4.20.18
      • 4.20.19
      • 4.20.20
      • 4.20.21
      • 4.20.22
      • 4.20.23
      • 4.20.24
      • 4.20.25
      • 4.21.0
      • 4.21.1
      • 4.22.0
      • 4.22.1
      • 4.22.2
      • 4.22.3
      • 4.22.4
      • 4.22.6
      • 5.0.0
      • 5.1.0
      • 5.1.1
      • 5.2.0
      • 5.2.1
      • 5.3.0
      • 5.3.1
      • 5.3.2
      • 5.3.3
      • 5.4.0
      • 5.4.1
      • 5.4.2
      • 5.4.3
      • 5.4.4
      • 5.4.5
      • 5.4.6
      • 5.4.7
      • 5.4.8
      • 5.4.9
      • 5.5.1
      • 5.6.0
      • 5.7.0
      • 5.7.1
      • 5.8.0
      • 5.8.1
      • 5.9.0
      • 5.10.0

      Fixed Versions

      Product Fixed Versions
      Jira Service Management Data Center
      Jira Service Management Server
      • 4.20.26 or later
      • 5.4.10 or later
      • 5.7.2 or later
      • 5.8.2 or later
      • 5.9.2 or later
      • 5.10.1 or later

      What You Need to Do

      Atlassian recommends that you upgrade your instance to one of the versions listed in the “Fixed Versions” table section of this ticket. For full descriptions of the above versions of Jira Service Management Data Center and Server, see the release notes. You can download the latest version of Jira Service Management Data Center and Server from the download center.

      Mitigation

      If you are unable to upgrade to a fixed version immediately, you can temporarily remediate this vulnerability by disabling Assets on your Jira Service Management instance by following these instructions. This has the consequence of disabling Assets functionality. https://confluence.atlassian.com/x/hHLSQ

      For additional details, please see full advisory here: https://confluence.atlassian.com/pages/viewpage.action?pageId=1295385959

      Acknowledgments

      This vulnerability was discovered and reported via our Atlassian (Internal) program.

              Unassigned Unassigned
              security-metrics-bot Security Metrics Bot
              Votes:
              0 Vote for this issue
              Watchers:
              23 Start watching this issue

                Created:
                Updated:
                Resolved: