JIRA Security Advisory 2011-02-21
This advisory announces a security vulnerability that has been found in all versions of JIRA prior to 4.2.2 and fixed in 4.2.2 and later versions. Enterprise Hosted customers should request an upgrade by filing a ticket at http://support.atlassian.com. JIRA Studio is not vulnerable to any of the issues described in this advisory.
Atlassian is committed to improving product security. The vulnerability listed in this advisory has been discovered by Atlassian, unless noted otherwise. The reporter may also have requested that we do not credit them.
If you have questions or concerns regarding this advisory, please raise a support request at http://support.atlassian.com/.
In this advisory:
Parameter-Based Redirection Vulnerability
Atlassian rates this vulnerability as high, according to the scale published in Severity Levels for Security Issues. The scale allows us to rank a vulnerability as critical, high, moderate or low. This vulnerability is not critical.
This is an independent assessment and you should evaluate its applicability to your own IT environment.
Parameter-based redirection vulnerabilities allow an attacker to craft a JIRA URL in such a way that a user clicking on this URL will be redirected to a different web site. This can be used for phishing.
Some actions in JIRA redirect users to a new page after the action has been completed. It was possible to hand-craft an URL that would redirect to a site outside the current instance of JIRA. Starting with JIRA 4.2.2 all such redirections are limited to pages inside the current instance of JIRA.
All versions of JIRA prior to 4.2.2 are affected.
We recommend upgrading your JIRA installation to fix this vulnerability. Please see the 'Fix' section below.
These issues have been fixed in JIRA 4.2.2 and later.
We have created a patch for the latest maintenance release 4.1.2 of JIRA for this vulnerability.
Please note that we have released a number of advisories about JIRA recently. We recommend that you review them and upgrade to the most recent release of the product or apply external security controls if you cannot. Most of the disclosed vulnerabilities are not critical and often present less risk when used in a corporate environment with no access from the Internet.
We usually provide patches only for vulnerabilities of critical severity, as an interim solution until you can upgrade. You should not expect that you can continue patching your system instead of upgrading. Our patches are often non-cumulative – we do not recommend that you apply multiple patches from different advisories on top of each other, but strongly recommend to upgrade to the most recent version regularly.
We recommend patching only when you can neither upgrade nor apply external security controls.
Supported JIRA Version
Instructions on how to apply the patch are included in the zip file