CVE-2019-13990 - XXE (XML External Entity Injection) Vulnerability In Jira Service Management Data Center and Jira Service Management Server

On this page

Still need help?

The Atlassian Community is here for you.

Ask the community

CVE-2019-13990 - XXE (XML External Entity Injection) Vulnerability in Jira Service Management Data Center and Server

SummaryCVE-2019-13990 - XXE (XML External Entity Injection) Vulnerability in Jira Service Management Data Center and Server
Advisory Release DateTue, Oct 17 2023 10:00 PDT
Products
  • Jira Service Management Data Center
  • Jira Service Management Server
CVE IDCVE-2019-13990
Related Jira Ticket(s)



Summary of Vulnerability

Certain versions of Jira Service Management Server & Data Center were affected by CVE-2019-13990. The affected versions contained vulnerable versions of Terracotta Quartz Scheduler which allowed authenticated attackers to initiate an XML External Entity injection attack using job descriptions.

Atlassian has committed to issuing critical advisories based on the NVD vulnerability score, in this case the CVSS for this third party CVE is critical (9.8), but this score doesn’t always account for the context in which a vulnerable component is used in our software. Unauthenticated attackers without local access to the system are unable to exploit this vulnerability. As such, our internal assessment of this vulnerability is scored as high severity.

Severity

While NVD rates the severity level of this vulnerability as critical, Atlassian rates the severity level of this vulnerability as high (8.4 with the following vector CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) per our internal assessment. This is our assessment, and you should evaluate its applicability to your own IT environment.

Affected Versions

This XXE (XML External Entity Injection) vulnerability affects all versions including and after 4.20.0 of Jira Service Management Data Center and Server. Versions outside of the support window could be affected, Atlassian recommends upgrading to the fixed LTS version or later.

ProductAffected Versions
Jira Service Management Data Center and Server
  • 4.20.0
  • 4.20.1
  • 4.20.10
  • 4.20.11
  • 4.20.12
  • 4.20.13
  • 4.20.14
  • 4.20.15
  • 4.20.16
  • 4.20.17
  • 4.20.18
  • 4.20.19
  • 4.20.2
  • 4.20.20
  • 4.20.21
  • 4.20.22
  • 4.20.23
  • 4.20.24
  • 4.20.25
  • 4.20.3
  • 4.20.4
  • 4.20.5
  • 4.20.6
  • 4.20.7
  • 4.20.8
  • 4.20.9
  • 4.21.0
  • 4.21.1
  • 4.22.0
  • 4.22.1
  • 4.22.2
  • 4.22.3
  • 4.22.4
  • 4.22.6
  • 5.0.0
  • 5.1.0
  • 5.1.1
  • 5.2.0
  • 5.2.1
  • 5.3.0
  • 5.3.1
  • 5.3.2
  • 5.3.3
  • 5.4.0
  • 5.4.1
  • 5.4.2
  • 5.4.3
  • 5.4.4
  • 5.4.5
  • 5.4.6
  • 5.4.7
  • 5.4.8
  • 5.4.9
  • 5.5.1
  • 5.6.0
  • 5.7.0
  • 5.7.1
  • 5.8.0
  • 5.8.1
  • 5.9.0
  • 5.10.0

What You Need To Do

Fixed Versions

Atlassian recommends that you upgrade each of your affected installations to one of the listed fixed versions (or any later version) below.

ProductFixed Versions
Jira Service Management Data Center and Server
  • 4.20.26 or later
  • 5.4.10 or later
  • 5.7.2 or later
  • 5.8.2 or later
  • 5.9.2 or later
  • 5.10.1 or later

Mitigation

If you are unable to upgrade to a fixed version immediately, you can temporarily remediate this vulnerability by disabling Assets on your Jira Service Management instance by following these instructions. This has the consequence of disabling Assets functionality. 

To avoid any downtime, make sure to disable / enable Assets outside of working hours.


Frequently Asked Questions (FAQ)

More details can be found at the Frequently Asked Questions (FAQ) page.


Support

If you did not receive an email for this advisory, and you wish to receive such emails in the future go to https://my.atlassian.com/email and subscribe to Alerts emails. If you have questions or concerns regarding this advisory, please raise a support request at https://support.atlassian.com/.

References

Security Bug Fix PolicyAs per our new policy critical security bug fixes will be back ported. We will release new maintenance releases for the versions covered by the policy instead of binary patches.
Binary patches are no longer released.
Security Levels for Security IssuesAtlassian security advisories include a severity level and a CVE identifier. This severity level is based on our self-calculated CVSS score for each specific vulnerability. CVSS is an industry standard vulnerability metric. You can also learn more about CVSS at FIRST.org.
End of Life PolicyOur end of life policy varies for different products. Please refer to our EOL Policy for details.
Last modified on Nov 8, 2023

Was this helpful?

Yes
No
Provide feedback about this article
Powered by Confluence and Scroll Viewport.