Come for the products,
stay for the community

The Atlassian Community can help you and your team get more value out of Atlassian products and practices.

Atlassian Community about banner
4,360,274
Community Members
 
Community Events
168
Community Groups

Security vulnerabilities

Hi ,Have a Good Day , we are using the atlassian/jira-software:8.9 image from hub.Docker.com in our Env
We found some vulnerabilities while scanning the image through Atrifactory X-ray scanner


FasterXML jackson-databind before 2.7.9.3, 2.8.x
before 2.8.11.1 and 2.9.x before 2.9.5 allows
unauthenticated remote code execution because of
an incomplete fix for the CVE-2017-7525
deserialization flaw. This is exploitable by sending
maliciously crafted JSON input to the readValue
method of the ObjectMapper, bypassing a blacklist
that is ineffective if the c3p0 libraries are available
in the classpath.
High security JFrog com.fasterxml.jackson.core:ja
ckson-databind
< 2.7.9.3,2.8.0 <= Version <
2.8.11.1,2.9.0.pr1 <= Version < 2.9.5
Fixed version = 2.9.5,2.8.11.1,2.7.9.3 2020-08-11T02:11:
29-05:00
High

https://nvd.nist.gov/vuln/detail/CVE-2017-7525


1 comment

Daniel Ebers Community Leader Oct 11, 2020

Hi Anil,

usually you can find in release notes information about fixed security vulnerabilities. That means: the version they are fixed with are usually listed in release notes:
https://confluence.atlassian.com/jirasoftware/jira-software-8-5-x-release-notes-975014654.html
The above example is for Jira v8.5.

For the current finding (CVE-2017-7525) please consider the statement that no products is known to be affected.

In case you are convinced this statement has to be revised you can report them to Security team. Here in Community the likeliness that it will be seen is rather small.

Cheers,
Daniel

Comment

Log in or Sign up to comment
TAGS
Community showcase
Published in Jira Software

An update on Jira Software customer feedback – June 2022

Hello Atlassian Community! Feedback from customers like you has helped us shape and improve Jira Software. As Head of Product, Jira Software, I wanted to take this opportunity to share an update on...

5,020 views 18 32
Read article

Atlassian Community Events