JIRA Security Advisory 2015-12-09
Issue: JIRA may send emails with incorrect attachments.
Note: As of September 2014 we are no longer issuing binary bug patches, Instead we create new maintenance releases for the major versions we are back porting.
Date of Advisory: (UTC)
CVE ID: CVE-2015-8481
- JIRA Core
- JIRA Service Desk
- JIRA Software
Affected JIRA product versions:
- 7.0.3 <= version < 7.0.4
Summary of Vulnerability
This advisory discloses a medium severity security vulnerability which was introduced in version 7.0.3 of JIRA Software and JIRA Core. Versions of JIRA Software and JIRA Core starting with 7.0.3 before 7.0.4 are vulnerable. Version 3.0.3 of the bundled JIRA Service Desk installer was packaged with version 7.0.3 of JIRA.
Atlassian Cloud instances have already been upgraded to a version of JIRA which does not have the issue described on this page.
Customers who have upgraded JIRA to version 7.0.4 are not affected.
Customers who have downloaded and installed JIRA 7.0.3 and have not upgraded to 7.0.4
Please upgrade your JIRA installations immediately to fix this vulnerability.
JIRA may send emails with incorrect image attachments.
Atlassian rates the severity level of this vulnerability as medium, according to the scale published in our Atlassian severity levels. The scale allows us to rank the severity as critical, high, moderate or low.
This is our assessment, and you should evaluate its applicability to your own IT environment.
A bug introduced in recent versions of JIRA Software, JIRA Service Desk, and JIRA Core may have caused users to receive an image in a JIRA email notification which was not intended for them.
The bug was triggered only under very specific circumstances
- A JIRA issue containing a field or comment with a reference to an image not stored on the JIRA instance (for example, http://www.example.com/image1.gif) was updated
- E-mail notifications were configured for that issue
- An unrelated JIRA issue containing wiki markup referencing an attached image was viewed by any user
- Both issues were part of the same JIRA instance (but not necessarily the same project)
We became aware of this problem on 4th December 2015.
For Cloud, a fix was rolled out for all Cloud customers within 24 hours of identifying the bug. The vulnerability existed between Monday November 30th and Saturday, December 5th, 2015. This bug affected only 0.4% of our JIRA Cloud instances.
- JIRA Software 7.0.3 and JIRA Core 7.0.3 are affected by this vulnerability.
- JIRA Service Desk 3.0.3, when used with JIRA 7.0.3, is also affected by this vulnerability.
We have taken the follow steps to address this issue:
- Released a new version of JIRA Software (7.0.4)
- Released a new version of the JIRA Service Desk bundled installer (3.0.4)
- Released a new version of JIRA Core (7.0.4)
What You Need to Do
The vulnerabilities and fix versions are described in the Description section above. Atlassian recommends that you upgrade to the latest version.
If you have questions or concerns regarding this advisory, please raise a support request at http://support.atlassian.com/.
|Security Bug fix Policy||
As per our new policy critical security bug fixes will be back ported to major software versions for up to 12 months for JIRA and Confluence. We will release new maintenance releases for the versions covered by the new policy instead of binary patches.
Binary patches will no longer be released.
|Severity Levels for security issues||Atlassian security advisories include a severity level and a CVE identifier. This severity level is based on our self-calculated CVSS score for each specific vulnerability. CVSS is an industry standard vulnerability metric. You can also learn more about CVSS at FIRST.org.|
|End of Life Policy||Our end of life policy varies for different products. Please refer to our EOL Policy for details.|