JIra security vulnerabilities

Hi All

We are on JIRA 4.1.2. we are planning an upgrade to 5.1 version by end of june. We need your advise on one of the security vulnerabilities we have found on JIRA 4.1.2.

the details are mentioned below.

We would like to know

1. what version of JIRA upgrade will fix this vulnerability
2. Is there a workaround available for this vulnerability until the end of June.

Vulnerability description:

The hosts
xxx.xx.xx.xx are both affected by Atlassian JIRA ConfigureReport.jspa 'reportKey' Info Disclosure (only)
The full description is: "The version of JIRA hosted on the remote web server is affected by an information disclosure vulnerability. By setting 'reportKey' parameter in 'ConfigureReport.jspa' to an invalid value, it is possible for an unauthenticated attacker to obtain sensitive information such as operating system version, database version, build version from the remote system. "

2 answers

1 accepted

0 votes
Accepted answer

The log pasted above corresponds to vulnerability related to 500page.jsp where in you can get a lot of information about the jira instance by directly hitting an URL . I patched the updated 500page.jsp from the knowledge base article on jra and it fixed the vulnerability.


0 votes
Timothy Chin Community Champion Apr 28, 2013

You would need to check this page for security vulnerabilities that have already been reported (https://confluence.atlassian.com/display/JIRA051/Security+Advisories). You can also update your test server to 5.1 (or whichever version you prefer) and check if the vulnerability still exists.

Suggest an answer

Log in or Sign up to answer
Community showcase
Published Jan 08, 2019 in Jira

How to Jira for designers

I’m a designer on the Jira team. For a long time, I’ve fielded questions from other designers about how they should be using Jira Software with their design team. I’ve also heard feedback from other ...

1,231 views 5 10
Read article

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you