Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

JIra security vulnerabilities

Rahul Aich [Nagra]
Rahul Aich [Nagra]
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
April 28, 2013

Hi All

We are on JIRA 4.1.2. we are planning an upgrade to 5.1 version by end of june. We need your advise on one of the security vulnerabilities we have found on JIRA 4.1.2.

the details are mentioned below.

We would like to know

1. what version of JIRA upgrade will fix this vulnerability
2. Is there a workaround available for this vulnerability until the end of June.

Vulnerability description:

The hosts
xxx.xx.xx.xx
and
xxx.xx.xx.xx are both affected by Atlassian JIRA ConfigureReport.jspa 'reportKey' Info Disclosure (only)
The full description is: "The version of JIRA hosted on the remote web server is affected by an information disclosure vulnerability. By setting 'reportKey' parameter in 'ConfigureReport.jspa' to an invalid value, it is possible for an unauthenticated attacker to obtain sensitive information such as operating system version, database version, build version from the remote system. "

Answer
Watch
Like Be the first to like this
1555 views

2 answers

1 accepted

0 votes
Answer accepted
Rahul Aich [Nagra]
Rahul Aich [Nagra]
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
May 19, 2013

The log pasted above corresponds to vulnerability related to 500page.jsp where in you can get a lot of information about the jira instance by directly hitting an URL . I patched the updated 500page.jsp from the knowledge base article on jra and it fixed the vulnerability.

Rahul

Reply
0 votes
Timothy
Timothy
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
April 28, 2013

You would need to check this page for security vulnerabilities that have already been reported (https://confluence.atlassian.com/display/JIRA051/Security+Advisories). You can also update your test server to 5.1 (or whichever version you prefer) and check if the vulnerability still exists.

Reply

Suggest an answer

Log in or Sign up to answer
Jira
Jira Software
TAGS
AUG Leaders

Atlassian Community Events

    See all events