[JSDSERVER-15310] Infinite Loop vulnerability in Jira Service Management Data Center and Server

Type: Public Security Vulnerability
Resolution: Unresolved
Priority: High
Fix Version/s: 5.12.8
Affects Version/s: 5.12.0, 5.12.1, 5.12.2, 5.12.3, 5.12.4, 5.12.6, 5.12.5, 5.12.7
Component/s: None
Labels:

CVSS Score:
7.5
CVSS Severity:
High
Vulnerability Source:
Atlassian (Internal)
CVSSv3 Vector:
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Vulnerability Classes:

DoS (Denial of Service)
Affected Product(s):

Jira Service Management Data Center, Jira Service Management Server

This vulnerability, with a CVSS Score of 7.5, contains an iteration or loop with an exit condition that cannot be reached. If the loop can be influenced by an attacker, this weakness could allow attackers to consume excessive resources such as CPU or memory. The software's operation may slow down, or cause a long time to respond (see https://cwe.mitre.org/data/definitions/835.html).

Atlassian recommends that Jira Service Management Data Center and Server customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions:

Data Center

Affected versions	Fixed versions
from 5.12.0 LTS to 5.12.7 LTS	5.12.8 LTS recommended
from 5.11.0 to 5.11.3	5.12.8 LTS recommended
from 5.10.0 to 5.10.2	5.12.8 LTS recommended
from 5.9.0 to 5.9.2	5.12.8 LTS recommended
from 5.8.0 to 5.8.2	5.12.8 LTS recommended
from 5.7.0 to 5.7.2	5.12.8 LTS recommended
from 5.6.0 to 5.6.2	5.12.8 LTS recommended
from 5.5.0 to 5.5.1	5.12.8 LTS recommended
from 5.4.0 LTS to 5.4.19 LTS	5.12.8 LTS recommended
from 5.3.0 to 5.3.1	5.12.8 LTS recommended
from 5.2.0 to 5.2.1	5.12.8 LTS recommended
from 5.1.0 to 5.1.1	5.12.8 LTS recommended
5.0	5.12.8 LTS recommended
from 4.22 to 4.22.6	5.12.8 LTS recommended
Any earlier versions	5.12.8 LTS recommended

Server

Affected versions	Fixed versions
from 5.12.0 LTS to 5.12.7 LTS	5.12.8 LTS recommended
from 5.11.0 to 5.11.3	5.12.8 LTS recommended
from 5.10.0 to 5.10.2	5.12.8 LTS recommended
from 5.9.0 to 5.9.2	5.12.8 LTS recommended
from 5.8.0 to 5.8.2	5.12.8 LTS recommended
from 5.7.0 to 5.7.2	5.12.8 LTS recommended
from 5.6.0 to 5.6.2	5.12.8 LTS recommended
from 5.5.0 to 5.5.1	5.12.8 LTS recommended
from 5.4.0 LTS to 5.4.19 LTS	5.12.8 LTS recommended
from 5.3.0 to 5.3.1	5.12.8 LTS recommended
from 5.2.0 to 5.2.1	5.12.8 LTS recommended
from 5.1.0 to 5.1.1	5.12.8 LTS recommended
5.0	5.12.8 LTS recommended
from 4.22 to 4.22.6	5.12.8 LTS recommended
Any earlier versions	5.12.8 LTS recommended

Versions released after 5.12 LTS are not affected.

See the release notes (http://www.atlassian.com/software/jira/service-management/download-archives). You can download the latest version of Jira Software Data Center and Server from the download center (http://www.atlassian.com/software/jira/service-management/download-archives)

This vulnerability was found internally.

Robert Leachman added a comment - 24/Jun/2024 5:03 PM

I see 5.4 mentioned as affected with a recommendation to upgrade to 5.12 which isn't feasible.

Do we need an LTS patch for 5.4?

Thanks!

Robert Leachman added a comment - 24/Jun/2024 5:03 PM I see 5.4 mentioned as affected with a recommendation to upgrade to 5.12 which isn't feasible. Do we need an LTS patch for 5.4? Thanks!

Assignee:: Unassigned

Reporter:: Yann

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Created:: 15/May/2024 7:23 AM

Updated:: 24/Jun/2024 5:03 PM

Jira Service Management Data Center

Details

Description

Attachments

Forms

Activity

Collapse comment: Robert Leachman added a comment - 24/Jun/2024 5:03 PM

Expand comment: Robert Leachman added a comment - 24/Jun/2024 5:03 PM

People

Dates