JIRA Security Advisory 2010-12-06

In this advisory:

XSS Vulnerabilities in URL Query Strings

Severity

Atlassian rates these vulnerabilities as high, according to the scale published in Severity Levels for Security Issues. The scale allows us to rank a vulnerability as critical, high, moderate or low.

Risk Assessment

We have identified and fixed a number of cross-site scripting (XSS) vulnerabilities which may affect JIRA instances. These vulnerabilities have security implications and are especially important for anyone running publicly accessible instances of JIRA. XSS vulnerabilities allow an attacker to embed their own JavaScript into a JIRA page. You can read more about XSS attacks at cgisecurity, the Web Application Security Consortium and other places on the web.

Vulnerability

Some values from JIRA URLs were being injected directly into JavaScript, potentially enabling an attacker to add scripts to another user's response.

All versions of JIRA prior to 4.2.1 are affected.

Risk Mitigation

We strongly recommend upgrading your JIRA installation to fix these vulnerabilities. Please see the 'Fix' section below.

Fix

These issues have been fixed in JIRA 4.2.1 and later, and are available as a patch for JIRA 3.13.5, 4.0.2 and 4.1.2 (please see JRA-22493).

XSRF Vulnerabilities

Severity

Atlassian rates this vulnerability as high, according to the scale published in Severity Levels for Security Issues. The scale allows us to rank a vulnerability as critical, high, moderate or low.

Risk Assessment

We have identified and fixed several cross-site request forgery (XSRF/CSRF) vulnerabilities in JIRA. These vulnerabilities have security implications and are especially important for anyone running publicly accessible instances of JIRA.

  • An attacker might take advantage of the vulnerability to fraudulently act on behalf of a legitimate user.

You can read more about XSRF/CSRF attacks at cgisecurity, wikipedia and other places on the web.

Vulnerability

Some JIRA administration screens did not have XSRF protection. A targeted attack on a vulnerable system could result in an attacker gaining access to user credentials, potentially giving them access to the JIRA data and system.

All versions of JIRA prior to 4.2.1 are affected.

Risk Mitigation

We strongly recommend upgrading your JIRA installation to fix these vulnerabilities. Please see the 'Fix' section below.

Fix

JIRA's XSRF protection has been extended to cover previously unprotected areas. The known XSRF issues have been fixed in JIRA 4.2.1 and later, and are available as a patch for JIRA 3.13.5, 4.0.2 and 4.1.2 (please see JRA-22493).

Vulnerability in Secure Tokens

Severity

Atlassian rates this vulnerability as moderate, according to the scale published in Severity Levels for Security Issues. The scale allows us to rank a vulnerability as critical, high, moderate or low.

Risk Assessment

We have identified and fixed a vulnerability relating to the creation of secure tokens, which are used in various authentication mechanisms. These vulnerabilities have security implications and are especially important for anyone running publicly accessible instances of JIRA.

  • Unauthorised users may be able to gain access to JIRA on behalf of a legitimate user.

Vulnerability

A highly skilled attacker could potentially forge a secure token, allowing them to impersonate a legitimate user.

All versions of JIRA prior to 4.2 are affected.

Risk Mitigation

We strongly recommend upgrading your JIRA installation to fix this vulnerability. Please see the 'Fix' section below.

Fix

This issue has been fixed in JIRA 4.2 and later. The random number-generator that is used to generate tokens has been hardened.

Vulnerability in Component Data

Severity

Atlassian rates this vulnerability as low, according to the scale published in Severity Levels for Security Issues. The scale allows us to rank a vulnerability as critical, high, moderate or low.

Risk Assessment

We have identified and fixed a data vulnerability in JIRA. This vulnerability has security implications and is especially important for anyone running publicly accessible instances of JIRA.

  • Unauthorised users may be able to view a list of components defined in your JIRA system.

Vulnerability

Component data could be view by unauthorised users.

All versions of JIRA prior to 4.2 are affected.

Risk Mitigation

We strongly recommend upgrading your JIRA installation to fix this vulnerability. Please see the 'Fix' section below.

Fix

This issue has been fixed in JIRA 4.2 and later.

Was this helpful?

Thanks for your feedback!

Why was this unhelpful?

Have a question about this article?

See questions about this article

Powered by Confluence and Scroll Viewport