Are you in the loop? Keep up with the latest by making sure you're subscribed to Community Announcements. Just click Watch and select Articles.

×
Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Celebration

Earn badges and make progress

You're on your way to the next level! Join the Kudos program to earn points and save your progress.

Deleted user Avatar
Deleted user

Level 1: Seed

25 / 150 points

Next: Root

Avatar

1 badge earned

Collect

Participate in fun challenges

Challenges come and go, but your rewards stay with you. Do more to earn more!

Challenges
Coins

Gift kudos to your peers

What goes around comes around! Share the love by gifting kudos to your peers.

Recognition
Ribbon

Rise up in the ranks

Keep earning points to reach the top of the leaderboard. It resets every quarter so you always have a chance!

Leaderboard

Join now to unlock these features and more

Trivy vulnerabiltiy scan of atlassian/jira-software:9.11.0 image picks up critical vulnerabilities

Saul Williamson
Saul Williamson
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
Sep 19, 2023

Ran trivy image vulnerability scanner on atlassian/jira-software:9.11.0. It is picking up a number of critical vulnerabilities listed below.

Looking through old tickets and other documentation some of these are considered non-applicable.  But the following items are still of concern:

org.yaml:snakeyaml
CVE-2022-1471

org.eclipse.jetty:jetty-server
CVE-2017-7658
CVE-2017-7657

List of critical vulnerabilities picked up by Trivy image security scan:

PackageVulnerability IDSeverityInstalled VersionFixed Version
com.fasterxml.jackson.core:jackson-databindCVE-2017-15095CRITICAL2.3.32.7.9.2, 2.8.10, 2.9.1
com.fasterxml.jackson.core:jackson-databindCVE-2018-11307CRITICAL2.3.32.7.9.4, 2.8.11.2, 2.9.6
com.fasterxml.jackson.core:jackson-databindCVE-2018-14718CRITICAL2.3.32.6.7.2, 2.9.7
com.fasterxml.jackson.core:jackson-databindCVE-2018-7489CRITICAL2.3.32.7.9.3, 2.8.11.1, 2.9.5
com.fasterxml.jackson.core:jackson-databindCVE-2019-14540CRITICAL2.3.32.9.10
com.fasterxml.jackson.core:jackson-databindCVE-2019-14893CRITICAL2.3.32.8.11.5, 2.9.10
com.fasterxml.jackson.core:jackson-databindCVE-2019-16335CRITICAL2.3.32.9.10
com.fasterxml.jackson.core:jackson-databindCVE-2019-16942CRITICAL2.3.32.9.10.1
com.fasterxml.jackson.core:jackson-databindCVE-2019-16943CRITICAL2.3.32.9.10.1
com.fasterxml.jackson.core:jackson-databindCVE-2019-17267CRITICAL2.3.32.9.10
com.fasterxml.jackson.core:jackson-databindCVE-2019-17531CRITICAL2.3.32.9.10.1
com.fasterxml.jackson.core:jackson-databindCVE-2019-20330CRITICAL2.3.32.8.11.5, 2.9.10.2
org.eclipse.jetty:jetty-serverCVE-2017-7657CRITICAL8.1.15.v201404119.2.25.v20180606, 9.3.24.v20180605
org.eclipse.jetty:jetty-serverCVE-2017-7658CRITICAL8.1.15.v201404119.2.26.v20180806, 9.3.24.v20180605, 9.4.11.v20180605
org.springframework:spring-webCVE-2016-1000027CRITICAL5.3.266.0.0
org.yaml:snakeyamlCVE-2022-1471CRITICAL1.192
Answer
Watch
Like Be the first to like this
565 views

1 answer

0 votes
Pandiyan Muthuraman
Pandiyan Muthuraman Nov 02, 2023

@Saul Williamson I am also facing similar issue with Jira 9.4.8 LTS version, Did you get any update ?

Also may i know which old tickets and documentations you have referred to conclude those critical vulnerabilities are ignorable, please share that helps me. TIA!

View More Comments
Saul Williamson
Saul Williamson
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
Nov 02, 2023 • edited

https://jira.atlassian.com/browse/JRASERVER-71535?jql=text%20~%20%22CVE-2019-17267%22
From Atlassian: This issue is now patched in versions 8.13.1, 8.14.0, and 8.5.10.
CVE-2020-8840
CVE-2019-20330
CVE-2019-17531
CVE-2019-17267
CVE-2019-16943
CVE-2019-16942
CVE-2019-16335
CVE-2019-14540
CVE-2018-7489
CVE-2018-14718
CVE-2018-11307
CVE-2018-5968
CVE-2017-17485
CVE-2017-15095


https://nvd.nist.gov/vuln/detail/CVE-2016-1000027
The vendors position is that untrusted data is not an intended use case. The products behavior will not be changed because some users rely on deserialization of trusted data.
CVE-2016-1000027


https://jira.atlassian.com/browse/JIRAAUTOSERVER-44
From Atlassian: Fixed in Jira 7.2.5, 7.2.6
CVE-2019-14893

Like
Pandiyan Muthuraman
Pandiyan Muthuraman Nov 02, 2023

That helps, thanks 

Like
Reply

Suggest an answer

Log in or Sign up to answer
Jira Software
Jira Software
TAGS
AUG Leaders

Atlassian Community Events

See all events