Jira Security Advisory - 2019-09-18 - CVE-2019-15001

From: Atlassian <security@atlassian.com>
To: bugtraq@securityfocus.com
Cc:
Subject: Jira Security Advisory - 2019-09-18 - CVE-2019-15001
Date:


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

This email refers to the advisory found at
https://confluence.atlassian.com/x/KkU4Og .


CVE ID:

* CVE-2019-15001.


Product: Jira Server and Data Center.

Affected Jira Server and Data Center product versions:

7.0.10 <= version < 7.6.16
7.7.0 <= version < 7.13.8
8.0.0 <= version < 8.1.3
8.2.0 <= version < 8.2.5
8.3.0 <= version < 8.3.4
8.4.0 <= version < 8.4.1


Fixed Jira Server and Data Center product versions:

* for 7.6.x, Jira Server and Data Center 7.6.16 has been released with a fix for
this issue.
* for 7.13.x, Jira Server and Data Center 7.13.8 has been released with a fix
for this issue.
* for 8.1.x, Jira Server and Data Center 8.1.3 has been released with a fix for
this issue.
* for 8.2.x, Jira Server and Data Center 8.2.5 has been released with a fix for
this issue.
* for 8.3.x, Jira Server and Data Center 8.3.4 has been released with a fix for
this issue.
* for 8.4.x, Jira Server and Data Center 8.4.1 has been released with a fix for
this issue.


Summary:
This advisory discloses a critical severity security vulnerability. Versions of
Jira Server and Data Center starting with version 7.0.10 before 7.6.16 (the
fixed version for 7.6.x), from version 7.7.0 before 7.13.8 (the fixed version
for 7.13.x),from version 8.0.0 before 8.1.3 (the fixed version for 8.1.x), from
version 8.2.0 before 8.2.5 (the fixed version for 8.2.x), from version 8.3.0
before 8.3.4 (the fixed version for 8.3.x), from version 8.4.0 before 8.4.1 (the
fixed version for 8.4.x) are affected by this vulnerability.



Customers who have upgraded Jira Server and Data Center to version 7.6.16 or
7.13.8 or 8.1.3 or 8.2.5 or 8.3.4 or 8.4.1 are not affected.

Customers who have downloaded and installed Jira Server and Data Center >=
7.0.10 but less than 7.6.16 (the fixed version for 7.6.x) or who have downloaded
and installed Jira Server and Data Center >= 7.7.0 but less than 7.13.8 (the
fixed version for 7.13.x) or who have downloaded and installed Jira Server and
Data Center >= 8.0.0 but less than 8.1.3 (the fixed version for 8.1.x) or who
have downloaded and installed Jira Server and Data Center >= 8.2.0 but less than
8.2.5 (the fixed version for 8.2.x) or who have downloaded and installed Jira
Server and Data Center >= 8.3.0 but less than 8.3.4 (the fixed version for
8.3.x) or who have downloaded and installed Jira Server and Data Center >= 8.4.0
but less than 8.4.1 (the fixed version for 8.4.x) please upgrade your Jira
Server and Data Center installations immediately to fix this vulnerability.



Template injection in Template injection in Jira Importers Plugin -
CVE-2019-15001

Severity:
Atlassian rates the severity level of this vulnerability as critical, according
to the scale published in our Atlassian severity levels. The scale allows us to
rank the severity as critical, high, moderate or low.
This is our assessment and you should evaluate its applicability to your own IT
environment.


Description:

There was a server-side template injection vulnerability in Jira Server and Data
Center, in the Jira Importers Plugin (JIM). An attacker with "JIRA
Administrators" access can exploit this issue. Successful exploitation of
this issue allows an attacker to remotely execute code on systems that run a
vulnerable version of Jira Server or Data Center.
Versions of Jira Server and Data Center starting with version 7.0.10 before
7.6.16 (the fixed version for 7.6.x), from version 7.7.0 before 7.13.8 (the
fixed version for 7.13.x),from version 8.0.0 before 8.1.3 (the fixed version for
8.1.x), from version 8.2.0 before 8.2.5 (the fixed version for 8.2.x), from
version 8.3.0 before 8.3.4 (the fixed version for 8.3.x), from version 8.4.0
before 8.4.1 (the fixed version for 8.4.x) are affected by this vulnerability.
This issue can be tracked at: https://jira.atlassian.com/browse/JRASERVER-69933
.



Fix:

To address this issue, we've released the following versions containing a fix:

* Jira Server and Data Center version 7.6.16
* Jira Server and Data Center version 7.13.8
* Jira Server and Data Center version 8.1.3
* Jira Server and Data Center version 8.2.5
* Jira Server and Data Center version 8.3.4
* Jira Server and Data Center version 8.4.1

Remediation:

Upgrade Jira Server and Data Center to version 8.4.1 or higher.

The vulnerabilities and fix versions are described above. If affected, you
should upgrade to the latest version immediately.

If you are running Jira Server and Data Center 7.6.x and cannot upgrade to
8.4.1, upgrade to version 7.6.16.
If you are running Jira Server and Data Center 7.13.x and cannot upgrade to
8.4.1, upgrade to version 7.13.8.
If you are running Jira Server and Data Center 8.1.x and cannot upgrade to
8.4.1, upgrade to version 8.1.3.
If you are running Jira Server and Data Center 8.2.x and cannot upgrade to
8.4.1, upgrade to version 8.2.5.
If you are running Jira Server and Data Center 8.3.x and cannot upgrade to
8.4.1, upgrade to version 8.3.4.


For a full description of the latest version of Jira Server and Data Center,
see
the release notes found at
https://confluence.atlassian.com/jirasoftware/jira-software-release-notes-776821069.html.
You can download the latest version of Jira Server and Data Center from the
download centre found at https://www.atlassian.com/software/jira/download.



Support:
If you have questions or concerns regarding this advisory, please raise a
support request at https://support.atlassian.com/.


-----BEGIN PGP SIGNATURE-----

iQJLBAEBCgA1FiEEXh3qw5vbMx/VSutRJCCXorxSdqAFAl2JqZkXHHNlY3VyaXR5
QGF0bGFzc2lhbi5jb20ACgkQJCCXorxSdqBwaxAAlV5KISHAJCJ3XtMQ038e8DQF
3bLkryFpCqDLH0DRcrqkjxzga/EGpSwVb4spmmwLLANutTabPiNMU27q7kVtqEAr
aRWaxjOpcSIKkFNL7YK+n3Uu3lDhd9LKJkqgqlqKl7/Gc74zpHIxBDyHZbV03s4s
V33NIp29FrEmJZDvwo6aNxZz2hLHNDg16U7X4iIc8f3PRQGHgeUjtoFbNJqEWHgL
samEELTkSP0gN4PNO6XwwhIiyBXt+X0tk1YIKk7ysBY9GIbg05Lu9mgcW1syBugy
dl0NMHPjwTr+vHj7EENg+hSrH0VTtjs9ue5CJtfsoGW6HaryOX717oY2e2ltaTYE
iH3SbA3b4uFCYudC0hDuwK9lsvY9XrUulQUuWQnA8zixTVUqr4z1qz7ZOK9WIn7Z
G1pU3EX0D7Bx6O66bDFSu2PBGuS3sJpnJA2X3H4TKJrymeUXh8ZVSSodKy8slzO+
Crefp2SVnJHEKHHc9/iMmWKSbl/UhHJjfPFKwAh2CuWb5T53lucfhHG8eR5SJp/H
FhGGsZpby1n0xmlmtiCLyfaUX4U7N8xzax6SsC/JSMhGwI0jEuEF9NNTzUi4U7Aq
ipGICa+gbHZzDU44jT/8cxLwHEjbkj4EQOeThBuQEgpDIpWd0mDpOCdQzcvFJNSr
+ADvNDoyq8NnmV+XmAA=
=/cDw
-----END PGP SIGNATURE-----





Copyright © 1995-2019 LinuxRocket.net. All rights reserved.