Uploaded image for project: 'Jira Software Data Center'
  1. Jira Software Data Center
  2. JSWSERVER-25461

XXE (XML External Entity Injection) jackson-databind in Jira Software Data Center and Server

XMLWordPrintable

    • 7.5
    • High
    • CVE-2020-25649
    • Atlassian (Internal)
    • CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
    • XXE (XML External Entity Injection)
    • Jira Software Data Center, Jira Software Server

      This High severity Third-Party Dependency vulnerability was introduced in versions 8.20.0, 9.4.0, 9.5.0, and 9.6.0 of Jira Software Data Center and Server.

      This Third-Party Dependency vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N allows an unauthenticated attacker to expose assets in your environment susceptible to exploitation which has no impact to confidentiality, high impact to integrity, no impact to availability, and requires no user interaction.

      Atlassian recommends that Jira Software Data Center and Server customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions:

      • Jira Software Data Center and Server 9.4: Upgrade to a release greater than or equal to 9.4.13
      • Jira Software Data Center and Server 9.4: Upgrade to a release greater than or equal to 9.7.0

      See the release notes. You can download the latest version of Jira Software Data Center and Server from the download center.

      The National Vulnerability Database provides the following description for this vulnerability: A flaw was found in FasterXML Jackson Databind, where it did not have entity expansion secured properly. This flaw allows vulnerability to XML external entity (XXE) attacks. The highest threat from this vulnerability is data integrity.

            [JSWSERVER-25461] XXE (XML External Entity Injection) jackson-databind in Jira Software Data Center and Server

            r added a comment -

            The jackson-databind package maven/com.fasterxml.jackson.core:jackson-databind , jackson-databind-2.x.x.jar is not there in 8.20.28 installation. Location <jira-install-directory>\atlassian-jira\WEB-INF\lib. It is there in 9.4.x install. 

            r added a comment - The jackson-databind package maven/com.fasterxml.jackson.core:jackson-databind , jackson-databind-2.x.x.jar is not there in 8.20.28 installation. Location <jira-install-directory>\atlassian-jira\WEB-INF\lib. It is there in 9.4.x install. 

            Emmanuel Baur added a comment -

            Does it affect Jira Core 8.20.x ?

            Emmanuel Baur added a comment - Does it affect Jira Core 8.20.x ?

            Sila Asya Varisli added a comment -

            Does it effect companys which are using Jira within the intranet?

            Sila Asya Varisli added a comment - Does it effect companys which are using Jira within the intranet?

            Antony Moss added a comment - - edited

            When is the fix for 8.20.x LTS getting released

            https://confluence.atlassian.com/support/atlassian-support-end-of-life-policy-201851003.html

            8.20 (EOL date: 31 Jan 2024) LONG TERM SUPPORT

            https://www.atlassian.com/trust/security/bug-fix-policy

            For critical vulnerabilities

            Back Port Policy

            Issue new bug fix releases for:

            • Any versions designated an 'Long Term Support release' that have not reached end of life.

            +1 to the list of people wondering what's happened to the 8.20 fix train...

            Update: I suppose this reflects that it's not "critical" (so back porting isn't demanded by the policy)?

            Antony Moss added a comment - - edited When is the fix for 8.20.x LTS getting released https://confluence.atlassian.com/support/atlassian-support-end-of-life-policy-201851003.html 8.20 (EOL date: 31 Jan 2024) LONG TERM SUPPORT https://www.atlassian.com/trust/security/bug-fix-policy For critical vulnerabilities Back Port Policy Issue new bug fix releases for: Any versions designated an 'Long Term Support release' that have not reached end of life. +1 to the list of people wondering what's happened to the 8.20 fix train... Update: I suppose this reflects that it's not "critical" (so back porting isn't demanded by the policy)?

            Jan Abresch added a comment -

            Please verify if 8.22.x is affected by this vulnerability or only 8.20.0.

            Jan Abresch added a comment - Please verify if 8.22.x is affected by this vulnerability or only 8.20.0.

            oufiniamine added a comment - - edited

            Is Jira 8.20.30 affected?

            oufiniamine added a comment - - edited Is Jira 8.20.30 affected?

            Noni Khutane added a comment -

            Is 8.22 affected

            Noni Khutane added a comment - Is 8.22 affected

            r added a comment -

            When is the fix for 8.20.x LTS getting released. Please let us know as soon as possible.

            r added a comment - When is the fix for 8.20.x LTS getting released. Please let us know as soon as possible.

            John Price added a comment -

            We are running Jira 8.20.27.  The Dev. 12 bulletin at https://confluence.atlassian.com/security/security-bulletin-december-12-2023-1319249520.html says 

            Patch to a minimum fix version of 9.4.13 or latest

            Does that mean there is no 8.20.x patched version available?

            John Price added a comment - We are running Jira 8.20.27.  The Dev. 12 bulletin at https://confluence.atlassian.com/security/security-bulletin-december-12-2023-1319249520.html says  Patch to a minimum fix version of  9.4.13  or  latest Does that mean there is no 8.20.x patched version available?

              Unassigned Unassigned
              security-metrics-bot Security Metrics Bot
              Votes:
              0 Vote for this issue
              Watchers:
              30 Start watching this issue

                Created:
                Updated:
                Resolved: