CVE-2019-13990 - XXE (XML External Entity Injection) Vulnerability In Jira Service Management Data Center and Jira Service Management Server
CVE-2019-13990 - XXE (XML External Entity Injection) Vulnerability in Jira Service Management Data Center and Server
| Summary | CVE-2019-13990 - XXE (XML External Entity Injection) Vulnerability in Jira Service Management Data Center and Server |
| Advisory Release Date | Tue, Oct 17 2023 10:00 PDT |
| Products |
|
| CVE ID | CVE-2019-13990 |
| Related Jira Ticket(s) |
Summary of Vulnerability
Certain versions of Jira Service Management Server & Data Center were affected by CVE-2019-13990. The affected versions contained vulnerable versions of Terracotta Quartz Scheduler which allowed authenticated attackers to initiate an XML External Entity injection attack using job descriptions.
Atlassian has committed to issuing critical advisories based on the NVD vulnerability score, in this case the CVSS for this third party CVE is critical (9.8), but this score doesn’t always account for the context in which a vulnerable component is used in our software. Unauthenticated attackers without local access to the system are unable to exploit this vulnerability. As such, our internal assessment of this vulnerability is scored as high severity.
Severity
While NVD rates the severity level of this vulnerability as critical, Atlassian rates the severity level of this vulnerability as high (8.4 with the following vector CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) per our internal assessment. This is our assessment, and you should evaluate its applicability to your own IT environment.
Affected Versions
This XXE (XML External Entity Injection) vulnerability affects all versions including and after 4.20.0 of Jira Service Management Data Center and Server. Versions outside of the support window could be affected, Atlassian recommends upgrading to the fixed LTS version or later.
| Product | Affected Versions |
|---|---|
| Jira Service Management Data Center and Server |
|
What You Need To Do
Fixed Versions
Atlassian recommends that you upgrade each of your affected installations to one of the listed fixed versions (or any later version) below.
| Product | Fixed Versions |
|---|---|
| Jira Service Management Data Center and Server |
|
Mitigation
If you are unable to upgrade to a fixed version immediately, you can temporarily remediate this vulnerability by disabling Assets on your Jira Service Management instance by following these instructions. This has the consequence of disabling Assets functionality.To avoid any downtime, make sure to disable / enable Assets outside of working hours.
Frequently Asked Questions (FAQ)
More details can be found at the Frequently Asked Questions (FAQ) page.
Support
If you did not receive an email for this advisory, and you wish to receive such emails in the future go to https://my.atlassian.com/email and subscribe to Alerts emails. If you have questions or concerns regarding this advisory, please raise a support request at https://support.atlassian.com/.
References
| Security Bug Fix Policy | As per our new policy critical security bug fixes will be back ported. We will release new maintenance releases for the versions covered by the policy instead of binary patches. Binary patches are no longer released. |
| Security Levels for Security Issues | Atlassian security advisories include a severity level and a CVE identifier. This severity level is based on our self-calculated CVSS score for each specific vulnerability. CVSS is an industry standard vulnerability metric. You can also learn more about CVSS at FIRST.org. |
| End of Life Policy | Our end of life policy varies for different products. Please refer to our EOL Policy for details. |