JIra security vulnerabilities

Hi All

We are on JIRA 4.1.2. we are planning an upgrade to 5.1 version by end of june. We need your advise on one of the security vulnerabilities we have found on JIRA 4.1.2.

the details are mentioned below.

We would like to know

1. what version of JIRA upgrade will fix this vulnerability
2. Is there a workaround available for this vulnerability until the end of June.

Vulnerability description:

The hosts
xxx.xx.xx.xx
and
xxx.xx.xx.xx are both affected by Atlassian JIRA ConfigureReport.jspa 'reportKey' Info Disclosure (only)
The full description is: "The version of JIRA hosted on the remote web server is affected by an information disclosure vulnerability. By setting 'reportKey' parameter in 'ConfigureReport.jspa' to an invalid value, it is possible for an unauthenticated attacker to obtain sensitive information such as operating system version, database version, build version from the remote system. "

2 answers

1 accepted

Accepted Answer
0 votes

The log pasted above corresponds to vulnerability related to 500page.jsp where in you can get a lot of information about the jira instance by directly hitting an URL . I patched the updated 500page.jsp from the knowledge base article on jra and it fixed the vulnerability.

Rahul

0 votes
Timothy Chin Community Champion Apr 28, 2013

You would need to check this page for security vulnerabilities that have already been reported (https://confluence.atlassian.com/display/JIRA051/Security+Advisories). You can also update your test server to 5.1 (or whichever version you prefer) and check if the vulnerability still exists.

Suggest an answer

Log in or Sign up to answer
Community showcase
Posted Sep 18, 2018 in Jira

What modern development practices are at the heart of how your team delivers software?

Hey Community mates! Claire here from the Software Product Marketing team. We all know software development changes rapidly, and it's often tough to keep up. But from our research, we've found the h...

24,161 views 2 7
Join discussion

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you