Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Product Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Trivy vulnerabiltiy scan of atlassian/jira-software:9.11.0 image picks up critical vulnerabilities

Saul Williamson
Saul Williamson
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
September 19, 2023

Ran trivy image vulnerability scanner on atlassian/jira-software:9.11.0. It is picking up a number of critical vulnerabilities listed below.

Looking through old tickets and other documentation some of these are considered non-applicable.  But the following items are still of concern:

org.yaml:snakeyaml
CVE-2022-1471

org.eclipse.jetty:jetty-server
CVE-2017-7658
CVE-2017-7657

List of critical vulnerabilities picked up by Trivy image security scan:

PackageVulnerability IDSeverityInstalled VersionFixed Version
com.fasterxml.jackson.core:jackson-databindCVE-2017-15095CRITICAL2.3.32.7.9.2, 2.8.10, 2.9.1
com.fasterxml.jackson.core:jackson-databindCVE-2018-11307CRITICAL2.3.32.7.9.4, 2.8.11.2, 2.9.6
com.fasterxml.jackson.core:jackson-databindCVE-2018-14718CRITICAL2.3.32.6.7.2, 2.9.7
com.fasterxml.jackson.core:jackson-databindCVE-2018-7489CRITICAL2.3.32.7.9.3, 2.8.11.1, 2.9.5
com.fasterxml.jackson.core:jackson-databindCVE-2019-14540CRITICAL2.3.32.9.10
com.fasterxml.jackson.core:jackson-databindCVE-2019-14893CRITICAL2.3.32.8.11.5, 2.9.10
com.fasterxml.jackson.core:jackson-databindCVE-2019-16335CRITICAL2.3.32.9.10
com.fasterxml.jackson.core:jackson-databindCVE-2019-16942CRITICAL2.3.32.9.10.1
com.fasterxml.jackson.core:jackson-databindCVE-2019-16943CRITICAL2.3.32.9.10.1
com.fasterxml.jackson.core:jackson-databindCVE-2019-17267CRITICAL2.3.32.9.10
com.fasterxml.jackson.core:jackson-databindCVE-2019-17531CRITICAL2.3.32.9.10.1
com.fasterxml.jackson.core:jackson-databindCVE-2019-20330CRITICAL2.3.32.8.11.5, 2.9.10.2
org.eclipse.jetty:jetty-serverCVE-2017-7657CRITICAL8.1.15.v201404119.2.25.v20180606, 9.3.24.v20180605
org.eclipse.jetty:jetty-serverCVE-2017-7658CRITICAL8.1.15.v201404119.2.26.v20180806, 9.3.24.v20180605, 9.4.11.v20180605
org.springframework:spring-webCVE-2016-1000027CRITICAL5.3.266.0.0
org.yaml:snakeyamlCVE-2022-1471CRITICAL1.192
Answer
Watch
Like Be the first to like this
1453 views

1 answer

0 votes
Pandiyan Muthuraman
Pandiyan Muthuraman November 2, 2023

@Saul Williamson I am also facing similar issue with Jira 9.4.8 LTS version, Did you get any update ?

Also may i know which old tickets and documentations you have referred to conclude those critical vulnerabilities are ignorable, please share that helps me. TIA!

View More Comments
Saul Williamson
Saul Williamson
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
November 2, 2023

https://jira.atlassian.com/browse/JRASERVER-71535?jql=text%20~%20%22CVE-2019-17267%22
From Atlassian: This issue is now patched in versions 8.13.1, 8.14.0, and 8.5.10.
CVE-2020-8840
CVE-2019-20330
CVE-2019-17531
CVE-2019-17267
CVE-2019-16943
CVE-2019-16942
CVE-2019-16335
CVE-2019-14540
CVE-2018-7489
CVE-2018-14718
CVE-2018-11307
CVE-2018-5968
CVE-2017-17485
CVE-2017-15095


https://nvd.nist.gov/vuln/detail/CVE-2016-1000027
The vendors position is that untrusted data is not an intended use case. The products behavior will not be changed because some users rely on deserialization of trusted data.
CVE-2016-1000027


https://jira.atlassian.com/browse/JIRAAUTOSERVER-44
From Atlassian: Fixed in Jira 7.2.5, 7.2.6
CVE-2019-14893

Like
Pandiyan Muthuraman
Pandiyan Muthuraman November 2, 2023

That helps, thanks 

Like
Reply

Suggest an answer

Log in or Sign up to answer
Jira
Jira
TAGS
AUG Leaders

Atlassian Community Events

    See all events