-
Public Security Vulnerability
-
Resolution: Fixed
-
High
-
5.4.0, (54)
5.4.1, 5.4.2, 5.4.3, 5.4.4, 5.4.5, 5.4.6, 5.4.7, 5.4.8, 5.4.9, 5.4.10, 5.12.0, 5.4.11, 5.13.0, 5.4.12, 5.14.0, 5.12.1, 5.4.13, 5.4.14, 5.4.15, 5.12.2, 5.13.1, 5.4.16, 5.12.3, 5.4.17, 5.12.4, 5.14.1, 10.0.0, 5.4.18, 5.12.6, 5.4.19, 5.16.0, 5.12.5, 5.4.20, 5.12.7, 5.15.2, 5.4.21, 5.12.8, 5.4.22, 5.12.9, 5.17.0, 5.16.1, 5.12.12, 5.4.23, 5.12.10, 5.12.11, 5.4.24, 5.17.1, 5.4.25, 5.4.26, 5.12.13, 5.17.2, 10.0.1, 5.4.27, 5.17.3 -
None
-
None
-
7.5
-
High
-
CVE-2024-7254
-
Atlassian (Internal)
-
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
-
Other
-
Jira Service Management Data Center
-
High
-
Jira Service Management Data Center
This High severity Stack-based Buffer Overflow vulnerability was introduced in version 5.12.0 of Jira Service Management Data Center and Server.
This Stack-based Buffer Overflow vulnerability, with a CVSS Score of 7.5, allows an unauthenticated attacker to impact service availability, which has no impact to confidentiality, no impact to integrity, high impact to availability, and requires no user interaction.
Atlassian recommends that Jira Service Management Data Center and Server customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions:
| Affected Versions | Fix Versions |
|---|---|
| from 10.0.0 to 10.0.1 | 10.1.1 |
| from 5.17.0 to 5.17.3 | 5.17.4 |
| from 5.16.0 to 5.16.1 | |
| 5.15.2 | |
| from 5.14.0 to 5.14.1 | |
| from 5.13.0 to 5.13.1 | |
| from 5.12.0 to 5.12.13 LTS | 5.12.14 |
| from 5.4.0 to 5.4.27 |
You can download the latest version of Jira Service Management Data Center and Server from the download center ([https://www.atlassian.com/software/jira/service-management/download-archives]).
This vulnerability was reported via our Bug Bounty program.
| Form Name | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
[JSDSERVER-15617] Stack-based Buffer Overflow com.google.protobuf:protobuf-java Dependency in Jira Service Management Data Center and Server
It looks like this was introduced in 5.4.0 why is there no back-port to 5.4.x which is still a valid LTS release?
As 5.4.0 is listed as affected version and searched for imports from that library in the source code (atlassian-jira-servicedesk-5.4.0-source) and i only found this annotation in 2 classes:
import com.google.protobuf.ExperimentalApi;
The corresponding NVD article (https://nvd.nist.gov/vuln/detail/CVE-2024-7254) has the following description:
Any project that parses untrusted Protocol Buffers data containing an arbitrary number of nested groups / series of SGROUP tags can corrupted by exceeding the stack limit i.e. StackOverflow. Parsing nested groups as unknown fields with DiscardUnknownFieldsParser or Java Protobuf Lite parser, or against Protobuf map fields, creates unbounded recursions that can be abused by an attacker.
4 JSM related libraries have a Maven dependency but don't have any imports.
Would be great to have some more details here if there is really a risk or just "we had this dependency but we're not affected by anything"?
a64d184ae8e6 1eb1d8553901
What about the 5.4?
Because of a bug in an app we can't "quickly” switch to 5.12.