Create
cancel
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in

It's not the same without you

Join the community to find out what other Atlassian users are discussing, debating and creating.

Atlassian Community Hero Image Collage

Security vulnerabilities

Hi ,Have a Good Day , we are using the atlassian/jira-software:8.9 image from hub.Docker.com in our Env
We found some vulnerabilities while scanning the image through Atrifactory X-ray scanner


FasterXML jackson-databind before 2.7.9.3, 2.8.x
before 2.8.11.1 and 2.9.x before 2.9.5 allows
unauthenticated remote code execution because of
an incomplete fix for the CVE-2017-7525
deserialization flaw. This is exploitable by sending
maliciously crafted JSON input to the readValue
method of the ObjectMapper, bypassing a blacklist
that is ineffective if the c3p0 libraries are available
in the classpath.
High security JFrog com.fasterxml.jackson.core:ja
ckson-databind
< 2.7.9.3,2.8.0 <= Version <
2.8.11.1,2.9.0.pr1 <= Version < 2.9.5
Fixed version = 2.9.5,2.8.11.1,2.7.9.3 2020-08-11T02:11:
29-05:00
High

https://nvd.nist.gov/vuln/detail/CVE-2017-7525


1 comment

Daniel Ebers Community Leader Oct 11, 2020

Hi Anil,

usually you can find in release notes information about fixed security vulnerabilities. That means: the version they are fixed with are usually listed in release notes:
https://confluence.atlassian.com/jirasoftware/jira-software-8-5-x-release-notes-975014654.html
The above example is for Jira v8.5.

For the current finding (CVE-2017-7525) please consider the statement that no products is known to be affected.

In case you are convinced this statement has to be revised you can report them to Security team. Here in Community the likeliness that it will be seen is rather small.

Cheers,
Daniel

Comment

Log in or Sign up to comment
TAGS
Community showcase
Published in Jira

Admins, notify your Jira instance of system-wide changes with the new admin announcement banner

Hi All! We’re excited to share the launch of an announcement banner that lets Jira site administrators communicate directly to their users across their  Jira Cloud instance.  ...

679 views 17 19
Read article

Community Events

Connect with like-minded Atlassian users at free events near you!

Find an event

Connect with like-minded Atlassian users at free events near you!

Unfortunately there are no Community Events near you at the moment.

Host an event

You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events

Events near you