• Type: Public Security Vulnerability
• Resolution: Fixed
• Priority: Low
• Fix Version/s: 4.20.0
• Affects Version/s: 4.15.0, 4.15.1, 4.15.2, 4.16.1, 4.17.0, 4.16.0, 4.16.2, 4.17.1, 4.18.0, 4.19.0, 4.18.1, 4.18.2, 4.18.3, 4.19.1
• Component/s: None
• Labels:

  • CVE-2018-10054
  • advisory
  • advisory-released
  • dont-import
  • security
  • 🔢✅

[JSDSERVER-8716] Jira Service Management / Insight Asset Management vulnerable to RCE Security

Tomasz Prus made changes - 06/Jun/2024 9:14 AM

Remote Link

New: This issue links to "Page (Atlassian Documentation)" [ 913944 ]

Eric Franklin (Inactive) made changes - 13/Dec/2023 5:37 PM

Remote Link

New: This issue links to "Page (Confluence)" [ 847577 ]

Eric Franklin (Inactive) made changes - 08/Dec/2023 8:28 PM

Remote Link

New: This issue links to "Page (Confluence)" [ 846158 ]

Maggie O. made changes - 08/Sep/2023 4:56 PM

Remote Link

New: This issue links to "Page (Confluence)" [ 809098 ]

Security Metrics Bot made changes - 31/Mar/2022 12:06 AM

Labels

Original: CVE-2018-10054 advisory advisory-released dont-import security

New: CVE-2018-10054 advisory advisory-released dont-import security 🔢✅

Chung Park Chan made changes - 02/Feb/2022 9:53 PM

Labels

Original: CVE-2018-10054 advisory advisory-released dont-import hot-jira-fixed security

New: CVE-2018-10054 advisory advisory-released dont-import security

Chung Park Chan made changes - 28/Oct/2021 3:47 AM

Labels

Original: CVE-2018-10054 advisory advisory-released dont-import security

New: CVE-2018-10054 advisory advisory-released dont-import hot-jira-fixed security

David Black made changes - 25/Oct/2021 1:15 AM

Description

Original: *Description*  Insight - Asset Management has a feature to import data from several databases (DBs). One of these DBs, the H2 DB, has a native function in its library which an attacker can use to run code on the server (remote code execution a.k.a. RCE). The H2 DB is bundled with Jira to help speed up the setup of Jira test environments. The combination of the DB import feature introduced by Insight - Asset Management with the existing Jira H2 DB library exposed this vulnerability. The vulnerability exists whether or not the import configuration was saved and even if H2 was never used as a targeted DB. Accessing this vulnerability requires the following:  * The user must be an authenticated Jira user *AND* Either of the following privileges within Insight - Asset Management:  * user or group permission to “Insight administrator”  * user or group permission to “Object Schema Manager”   h4. Acknowledgments The issue was discovered by l0gg via the Atlassian public bug bounty program.   *Affected versions:* |Insight - Asset Management version:  * All 5.x versions  * All 6.x versions  * All 7.x versions  * All 8.0.x, 8.1.x, 8.2.x, 8.3.x, 8.4.x, 8.5.x, 8.6.x, 8.7.x, 8.8.x versions  * All 8.9.x versions before 8.9.3| ira Service Management Data Center and Server version:  * All 4.15.x versions  * All 4.16.x versions  * All 4.17.x versions  * All 4.18.x versions  * All 4.19.x versions| *Fixed versions:* Insight - Asset Management-8.9.3  Jira Service Management Data Center and Jira Service Management Server-4.20.0  Further details can be found on the [advisory page|https://confluence.atlassian.com/adminjiraserver/jira-service-management-security-advisory-2021-10-20-1085186548.html].

New: *Description*  Insight - Asset Management has a feature to import data from several databases (DBs). One of these DBs, the H2 DB, has a native function in its library which an attacker can use to run code on the server (remote code execution a.k.a. RCE). The H2 DB is bundled with Jira to help speed up the setup of Jira test environments. The combination of the DB import feature introduced by Insight - Asset Management with the existing Jira H2 DB library exposed this vulnerability. The vulnerability exists whether or not the import configuration was saved and even if H2 was never used as a targeted DB. Accessing this vulnerability requires the following:  * The user must be an authenticated Jira user *AND* Either of the following privileges within Insight - Asset Management:  * user or group permission to “Insight administrator”  * user or group permission to “Object Schema Manager”   h4. Acknowledgments The issue was discovered by l0gg via the Atlassian public bug bounty program.   *Affected versions:* |Insight - Asset Management version:  * All 5.x versions  * All 6.x versions  * All 7.x versions  * All 8.0.x, 8.1.x, 8.2.x, 8.3.x, 8.4.x, 8.5.x, 8.6.x, 8.7.x, 8.8.x versions  * All 8.9.x versions before 8.9.3| Jira Service Management Data Center and Server version:  * All 4.15.x versions  * All 4.16.x versions  * All 4.17.x versions  * All 4.18.x versions  * All 4.19.x versions| *Fixed versions:* Insight - Asset Management-8.9.3  Jira Service Management Data Center and Jira Service Management Server-4.20.0  Further details can be found on the [advisory page|https://confluence.atlassian.com/adminjiraserver/jira-service-management-security-advisory-2021-10-20-1085186548.html].

Security Metrics Bot made changes - 24/Oct/2021 8:28 PM

CVE ID

New: CVE-2018-10054

MM made changes - 23/Oct/2021 7:27 PM

Comment

[ If you delete this file you get some other errors... for example:  * you couldn't generate Logfiles to Zip File  * you couldn't configure outgoing Mails and much much more... So this workaround to delete the H2 File in the /WEB-INF/lib DIR is not helpfull. On the contrary, it creates even more problems.... Any comments from Atlassian here? ]

Load more older history items