This advisory announces a security vulnerability that has been found in all versions of JIRA prior to 4.2.2 and fixed in 4.2.2 and later versions. Enterprise Hosted customers should request an upgrade by filing a ticket at http://support.atlassian.com. JIRA Studio is not vulnerable to any of the issues described in this advisory.
Atlassian is committed to improving product security. The vulnerability listed in this advisory has been discovered by Atlassian, unless noted otherwise. The reporter may also have requested that we do not credit them.
If you have questions or concerns regarding this advisory, please raise a support request at http://support.atlassian.com/.
In this advisory:
Parameter-Based Redirection Vulnerability
Atlassian rates this vulnerability as high, according to the scale published in Severity Levels for Security Issues. The scale allows us to rank a vulnerability as critical, high, moderate or low. This vulnerability is not critical.
This is an independent assessment and you should evaluate its applicability to your own IT environment.
Parameter-based redirection vulnerabilities allow an attacker to craft a JIRA URL in such a way that a user clicking on this URL will be redirected to a different web site. This can be used for phishing.
Some actions in JIRA redirect users to a new page after the action has been completed. It was possible to hand-craft an URL that would redirect to a site outside the current instance of JIRA. Starting with JIRA 4.2.2 all such redirections are limited to pages inside the current instance of JIRA.
All versions of JIRA prior to 4.2.2 are affected.
We recommend upgrading your JIRA installation to fix this vulnerability. Please see the 'Fix' section below.
These issues have been fixed in JIRA 4.2.2 and later.
We have created a patch for the latest maintenance release 4.1.2 of JIRA for this vulnerability.
Supported JIRA Version
Instructions on how to apply the patch are included in the zip file