• Type: Bug
• Resolution: Fixed
• Priority: Low
• Fix Version/s: 4.0.0
• Affects Version/s: 3.14.0
• Component/s: API and Integrations
• Labels:

  • advisory
  • advisory-released
  • cvss-medium
  • patch-management
  • security

[JSDSERVER-6289] The version of moment.js used in Jira Service Desk was vulnerable to a regular expression denial of service

AB made changes - 28/Apr/2020 4:30 AM

Description

Original: Component in before version 4.0.0 allows remote attackers to IMPACT via a VULN_INFO.   The version of moment.js used in Jira Service Desk Server before version 4.0.0 allows remote attackers to cause a denial of service in user's browsers via a regular expression denial of service. For additional details see [https://github.com/moment/moment/issues/2936.|https://github.com/moment/moment/issues/2936]

New: The version of moment.js used in Jira Service Desk Server before version 4.0.0 allows remote attackers to cause a denial of service in user's browsers via a regular expression denial of service. For additional details see [https://github.com/moment/moment/issues/2936.|https://github.com/moment/moment/issues/2936]

Aliaksei Melnikau (Inactive) made changes - 23/Sep/2019 6:33 AM

UIS

New: 0

Owen made changes - 27/Mar/2019 5:47 AM

Workflow	Original: JSD Bug Workflow v5 - TEMP [ 3122115 ]	New: JAC Bug Workflow v3 [ 3125943 ]
Status	Original: Done [ 10044 ]	New: Closed [ 6 ]

David Black made changes - 21/Mar/2019 1:07 AM

Link

New: This issue is detailed by JSDSERVER-5963 [ JSDSERVER-5963 ]

Collapse comment: David Black added a comment - 21/Mar/2019 1:06 AM

David Black added a comment - 21/Mar/2019 1:06 AM

This is an independent assessment and you should evaluate its applicability to your own IT environment.

CVSS v3 score: 4.3 => Medium severity

Exploitability Metrics

Attack Vector	Network
Attack Complexity	Low
Privileges Required	Low
User Interaction	None

Scope Metric

Scope	Unchanged

Impact Metrics

Confidentiality	None
Integrity	None
Availability	Low

See http://go.atlassian.com/cvss for more details.

https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

Expand comment: David Black added a comment - 21/Mar/2019 1:06 AM

David Black added a comment - 21/Mar/2019 1:06 AM This is an independent assessment and you should evaluate its applicability to your own IT environment. CVSS v3 score: 4.3 => Medium severity Exploitability Metrics Attack Vector Network Attack Complexity Low Privileges Required Low User Interaction None Scope Metric Scope Unchanged Impact Metrics Confidentiality None Integrity None Availability Low See http://go.atlassian.com/cvss for more details. https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

David Black made changes - 21/Mar/2019 1:05 AM

Link

New: This issue relates to JRASERVER-69040 [ JRASERVER-69040 ]

David Black made changes - 21/Mar/2019 1:05 AM

Labels

Original: advisory advisory-released cvss-medium security

New: advisory advisory-released cvss-medium patch-management security

David Black made changes - 21/Mar/2019 1:05 AM

Resolution		New: Fixed [ 1 ]
Status	Original: Untriaged [ 11672 ]	New: Done [ 10044 ]

David Black made changes - 21/Mar/2019 1:04 AM

Security

Original: Atlassian Staff [ 10750 ]

David Black made changes - 21/Mar/2019 1:04 AM

Labels

Original: advisory advisory-to-release cvss-medium exclude-from-security-metrics-page security

New: advisory advisory-released cvss-medium security

Load more older events