Atlassian JIRA 7.13.x < 7.13.6 / 8.x < 8.2.3 / 8.3.x < 8.3.2 Multiple Vulnerabilities

medium Nessus Plugin ID 129593

Synopsis

The remote web server hosts a web application that is potentially affected by multiple vulnerabilities.

Description

According to its self-reported version number, the instance of Atlassian JIRA hosted on the remote web server is potentially affected by multiple vulnerabilities:

- An open redirect vulnerability exists in the startup.jsp resource. An unauthenticated, remote attacker can exploit this via the network to redirect users to a different website which they may use as part of performing a phishing attack. (CVE-2019-11585)

- A Cross-site request forgery (XSRF) vulnerability exists in the AddResolution.jspa resource. An unauthenticated, remote attacker can exploit this via the network to create new resolutions.
(CVE-2019-11586)

- A Cross-site request forgery (XSRF) vulnerability exists in various exposed resources of the ViewLogging class. An unauthenticated, remote attacker can exploit this via the network to modify various settings.
(CVE-2019-11587)

- A Cross-site request forgery (XSRF) vulnerability exists in the doGarbageCollection method of the ViewSystemInfo class. An unauthenticated, remote attacker can exploit this via the network to trigger garbage collection. (CVE-2019-11588)

- An open redirect vulnerability exists in the ChangeSharedFilterOwner resource. An unauthenticated, remote attacker can exploit this via the network to attack users, and in some cases be able to obtain a user's Cross-site request forgery (XSRF) token. (CVE-2019-11589)

Solution

Upgrade to Atlassian JIRA version 7.13.6 / 8.2.3 / 8.3.2 / 8.4.0 or later.

See Also

https://jira.atlassian.com/browse/JRASERVER-69780

https://jira.atlassian.com/browse/JRASERVER-69781

https://jira.atlassian.com/browse/JRASERVER-69782

https://jira.atlassian.com/browse/JRASERVER-69783

https://jira.atlassian.com/browse/JRASERVER-69784

Plugin Details

Severity: Medium

ID: 129593

File Name: jira_8_3_2_CVE-2019-11585.nasl

Version: 1.6

Type: combined

Agent: windows, macosx, unix

Family: CGI abuses

Published: 10/7/2019

Updated: 6/5/2024

Configuration: Enable thorough checks

Supported Sensors: Nessus Agent, Nessus

Enable CGI Scanning: true

Risk Information

VPR

Risk Factor: Low

Score: 3.6

CVSS v2

Risk Factor: Medium

Base Score: 5.8

Temporal Score: 4.3

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N

CVSS Score Source: CVE-2019-11589

CVSS v3

Risk Factor: Medium

Base Score: 6.5

Temporal Score: 5.7

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

CVSS Score Source: CVE-2019-11587

Vulnerability Information

CPE: cpe:/a:atlassian:jira

Required KB Items: installed_sw/Atlassian JIRA

Exploit Ease: No known exploits are available

Patch Publication Date: 7/9/2019

Vulnerability Publication Date: 8/23/2019

Reference Information

CVE: CVE-2019-11585, CVE-2019-11586, CVE-2019-11587, CVE-2019-11588, CVE-2019-11589