lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Mon, 22 Jul 2019 10:57:34 +1000
From: Anton Black <ablack@...assian.com>
To: bugtraq@...urityfocus.com
Subject: Jira Server - Template injection in various resources - CVE-2019-11581

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

This email refers to the advisory found at
https://confluence.atlassian.com/x/AzoGOg .


CVE ID:

* CVE-2019-11581.


Product: Jira Server and Data Center.

Affected Jira Server and Data Center product versions:

4.0.0 <= version < 7.6.14
7.13.0 <= version < 7.13.5
8.0.0 <= version < 8.0.3
8.1.0 <= version < 8.1.2
8.2.0 <= version < 8.2.3


Fixed Jira Server and Data Center product versions:

* Jira Server and Data Center 7.6.14 has been released with a fix for this
issue.
* for 7.13.x, Jira Server and Data Center 7.13.5 has been released with a fix
for this issue.
* for 8.0.x, Jira Server and Data Center 8.0.3 has been released with a fix for
this issue.
* for 8.1.x, Jira Server and Data Center 8.1.2 has been released with a fix for
this issue.
* for 8.2.x, Jira Server and Data Center 8.2.3 has been released with a fix for
this issue.
* Jira Server and Data Center 8.3.0 has been released with a fix for this
issue.


Summary:
This advisory discloses a critical severity security vulnerability. Versions of
Jira Server and Data Center  are affected by this vulnerability.



Customers who have upgraded Jira Server and Data Center to version 7.6.14 or
7.13.5 or 8.0.3 or 8.1.2 or 8.2.3 or 8.3.0 are not affected.

Customers who have downloaded and installed Jira Server and Data Center >= 4.0.0
but less than 7.6.14 or who have downloaded and installed Jira Server and Data
Center >= 7.13.0 but less than 7.13.5 (the fixed version for 7.13.x) or who have
downloaded and installed Jira Server and Data Center >= 8.0.0 but less than
8.0.3 (the fixed version for 8.0.x) or who have downloaded and installed Jira
Server and Data Center >= 8.1.0 but less than 8.1.2 (the fixed version for
8.1.x) or who have downloaded and installed Jira Server and Data Center >= 8.2.0
but less than 8.2.3 (the fixed version for 8.2.x) or who have downloaded and
installed Jira Server and Data Center less than 8.3.0 please upgrade your Jira
Server and Data Center installations immediately to fix this vulnerability.



Template injection in various resources - CVE-2019-11581

Severity:
Atlassian rates the severity level of this vulnerability as critical, according
to the scale published in our Atlassian severity levels. The scale allows us to
rank the severity as critical, high, moderate or low.
This is our assessment and you should evaluate its applicability to your own IT
environment.


Description:

There was a server-side template injection vulnerability in Jira Server and Data
Center, in the ContactAdministrators and the SendBulkMail actions. For this
issue to be exploitable at least one of the following conditions must be met:
- - an SMTP server has been configured in Jira and the Contact
Administrators Form
is enabled; or
- - an SMTP server has been configured in Jira and an attacker has `JIRA
Administrators` access.
In the first case, where the Contact Administrators Form is enabled, attackers
are able to exploit this issue without authentication. In the second case,
attackers with `JIRA Administrators` access can exploit this issue. In either
case, successful exploitation of this issue allows an attacker to remotely
execute code on systems that run a vulnerable version of Jira Server or Data
Center.
Versions of Jira Server and Data Center starting with version 7.0.0 before
7.6.14 (the fixed version for 7.6.x), from version 7.7.0 before 7.13.5 (the
fixed version for 7.13.x), from version 8.0.0 before 8.0.3 (the fixed version
for 8.0.x), from version 8.1.0 before 8.1.2 (the fixed version for 8.1.x), and
from version 8.2.0 before 8.2.3 (the fixed version for 8.2.x) are affected by
this vulnerability. This issue can be tracked at:
https://jira.atlassian.com/browse/JRASERVER-69532 .



Fix:

To address this issue, we've released the following versions containing a fix:

* Jira Server and Data Center version 7.6.14
* Jira Server and Data Center version 7.13.5
* Jira Server and Data Center version 8.0.3
* Jira Server and Data Center version 8.1.2
* Jira Server and Data Center version 8.2.3
* Jira Server and Data Center version 8.3.0

Remediation:

Upgrade Jira Server and Data Center to version 8.3.0 or higher.

The vulnerabilities and fix versions are described above. If affected, you
should upgrade to the latest version immediately.

If you are running Jira Server and Data Center 7.6.x and cannot upgrade to
8.3.0, upgrade to version 7.6.14.
If you are running Jira Server and Data Center 7.13.x and cannot upgrade to
8.3.0, upgrade to version 7.13.5.
If you are running Jira Server and Data Center 8.0.x and cannot upgrade to
8.3.0, upgrade to version 8.0.3.
If you are running Jira Server and Data Center 8.1.x and cannot upgrade to
8.3.0, upgrade to version 8.1.2.
If you are running Jira Server and Data Center 8.2.x and cannot upgrade to
8.3.0, upgrade to version 8.2.3.


For a full description of the latest version of Jira Server and Data Center,
see
the release notes found at
https://confluence.atlassian.com/jirasoftware/jira-software-release-notes-776821069.html.
You can download the latest version of Jira Server and Data Center from the
download centre found at https://www.atlassian.com/software/jira/download.



Support:
If you have questions or concerns regarding this advisory, please raise a
support request at https://support.atlassian.com/.


-----BEGIN PGP SIGNATURE-----

iQJLBAEBCAA1FiEEXh3qw5vbMx/VSutRJCCXorxSdqAFAl01CQgXHHNlY3VyaXR5
QGF0bGFzc2lhbi5jb20ACgkQJCCXorxSdqCvRw/9H+M/5vPW92U/lA7Ju0T7SuCQ
WvxAQQSeXwWlMVkLxTBBfbExGWQy/kF8Czkim3pEog35bMHCS7TUxc1lR+U0CzNS
shQ9Iow1u63P8jtSFkecnqk5UDbt/CSOE80a9iXDukvLZYmoDF04CnGGJG/J+eQE
Z5Re/+jP5Id18PHLuT6nJ0fxuse/CF45gYYeqF7D75BrkpGntpM6+I6RQ97Tz6V0
dsawDIL0MEmQjAenk01CwDj8QRfsf+7XUgi3GArYdmEIYQreFPjSMYnzSKQzHYqs
TFHqI5UX0AHYk90S915fIPubMlyKb2FMpJ7Hx7RUvQOMaQUOWyysDoj9M7LSKOGq
uoJnxAKK64or4jfT9B1LiZoqDlJ2bAVc8oWkZY2LSWzm1Tazcc+bfJ4+fwCh8d39
w/8unsaS8Rhi085WoEJewNCUD5lK7c1VtKZVW7oBDupkuoiSWT9hAu+odOp1yoDp
cUVUOmhqWz+vW5IjyCXp9yZxVfIKU2w50lzADEC+413XS1XGZfjygzg7W0my3kpH
caTF0Rsh7rXLu6+eF/42ot0IinPsDJfGsorE4Wd6b64eG2fdyRSq1Fo6grh3TXgw
HDo0gbg4bGNBhWy8XZWx0oPi03WO82qsS30DgMtLiJ1WxrpaaARRK0/Nr7UYN6m1
aAyplJ/vjHf0b/xnoXo=
=+gCC
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists