JIRA Security Advisory 2015-12-09

Issue: JIRA may send emails with incorrect attachments.

Note: As of September 2014 we are no longer issuing binary bug patches, Instead we create new maintenance releases for the major versions we are back porting.

Date of Advisory:    (UTC)

CVE ID: CVE-2015-8481

Affected Products:

  • JIRA Core 
  • JIRA Service Desk
  • JIRA Software

Affected JIRA product versions:

  • 7.0.3 <= version < 7.0.4

Summary of Vulnerability

This advisory discloses a medium severity security vulnerability which was introduced in version 7.0.3 of JIRA Software and JIRA Core. Versions of JIRA Software and JIRA Core starting with 7.0.3 before 7.0.4 are vulnerable. Version 3.0.3 of the bundled JIRA Service Desk installer was packaged with version 7.0.3 of JIRA.

 

Atlassian Cloud instances have already been upgraded to a version of JIRA which does not have the issue described on this page. 

Customers who have upgraded JIRA to version 7.0.4 are not affected

Customers who have downloaded and installed JIRA 7.0.3 and have not upgraded to 7.0.4

Please upgrade your JIRA installations immediately to fix this vulnerability.

JIRA may send emails with incorrect image attachments.

Severity

Atlassian rates the severity level of this vulnerability as medium, according to the scale published in our Atlassian severity levels. The scale allows us to rank the severity as critical, high, moderate or low.

This is our assessment, and you should evaluate its applicability to your own IT environment.

Description

A bug introduced in recent versions of JIRA Software, JIRA Service Desk, and JIRA Core may have caused users to receive an image in a JIRA email notification which was not intended for them.

The bug was triggered only under very specific circumstances

  1. A JIRA issue containing a field or comment with a reference to an image not stored on the JIRA instance (for example, http://www.example.com/image1.gif) was updated
  2. E-mail notifications were configured for that issue
  3. An unrelated JIRA issue containing wiki markup referencing an attached image was viewed by any user
  4. Both issues were part of the same JIRA instance (but not necessarily the same project)

Under those circumstances, the notification would have contained the image from the unrelated issue rather than the image from the first issue, regardless of the permission restrictions on the unrelated JIRA issue. Please note that the bug is limited to images, such as icons, screenshots, or file types like PNG, GIF, or JPG. Non-image attachments (i.e. Word documents, Excel files, and PDFs) are NOT affected.
For JIRA Service Desk, email notifications with the incorrect image would have only been sent to users with access to the internal view of JIRA Service Desk tickets (i.e. agents). The incorrect image would NOT have been sent to anyone with only the external view of a ticket (i.e. users who have the "customer" or "participant" role).

We became aware of this problem on 4th December 2015.  

For Cloud, a fix was rolled out for all Cloud customers within 24 hours of identifying the bug.  The vulnerability existed between Monday November 30th and Saturday, December 5th, 2015. This bug affected only 0.4% of our JIRA Cloud instances.

For Server:

  • JIRA Software 7.0.3 and JIRA Core 7.0.3 are affected by this vulnerability.
  • JIRA Service Desk 3.0.3, when used with JIRA 7.0.3, is also affected by this vulnerability.

This issue can be tracked here:  JRA-47557 - Getting issue details... STATUS .

 

Fix

We have taken the follow steps to address this issue:

  1. Released a new version of JIRA Software (7.0.4)
  2. Released a new version of the JIRA Service Desk bundled installer (3.0.4)
  3. Released a new version of JIRA Core (7.0.4)

What You Need to Do

Upgrade (recommended)

The vulnerabilities and fix versions are described in the Description section above. Atlassian recommends that you upgrade to the latest version. 

 

For a full description of the latest version of JIRA Software, see the release notes. You can download the latest version of JIRA Software from the download centre.

For a full description of the latest version of JIRA Service Desk, see the release notes. You can download the version of JIRA Service Desk from the download centre .

For a full description of the latest version of JIRA Core, see the release notes . You can download the latest version of JIRA Core from the download centre .

Support

If you have questions or concerns regarding this advisory, please raise a support request at http://support.atlassian.com/.

References

Security Bug fix Policy

As per our new policy critical security bug fixes will be back ported to major software versions for up to 12 months for JIRA and Confluence.  We will release new maintenance releases for the versions covered by the new policy instead of binary patches.

Binary patches will no longer be released. 

Severity Levels for security issues Atlassian security advisories include a severity level and a CVE identifier. This severity level is based on our self-calculated CVSS score for each specific vulnerability. CVSS is an industry standard vulnerability metric. You can also learn more about CVSS at FIRST.org.
End of Life Policy  Our end of life policy varies for different products. Please refer to our EOL Policy for details. 
Last modified on Dec 9, 2015

Was this helpful?

Yes
No
Provide feedback about this article
Powered by Confluence and Scroll Viewport.