We are on JIRA 4.1.2. we are planning an upgrade to 5.1 version by end of june. We need your advise on one of the security vulnerabilities we have found on JIRA 4.1.2.
the details are mentioned below.
We would like to know
1. what version of JIRA upgrade will fix this vulnerability
2. Is there a workaround available for this vulnerability until the end of June.
xxx.xx.xx.xx are both affected by Atlassian JIRA ConfigureReport.jspa 'reportKey' Info Disclosure (only)
The full description is: "The version of JIRA hosted on the remote web server is affected by an information disclosure vulnerability. By setting 'reportKey' parameter in 'ConfigureReport.jspa' to an invalid value, it is possible for an unauthenticated attacker to obtain sensitive information such as operating system version, database version, build version from the remote system. "
The log pasted above corresponds to vulnerability related to 500page.jsp where in you can get a lot of information about the jira instance by directly hitting an URL . I patched the updated 500page.jsp from the knowledge base article on jra and it fixed the vulnerability.
You would need to check this page for security vulnerabilities that have already been reported (https://confluence.atlassian.com/display/JIRA051/Security+Advisories). You can also update your test server to 5.1 (or whichever version you prefer) and check if the vulnerability still exists.
Connect with like-minded Atlassian users at free events near you!Find a group
Connect with like-minded Atlassian users at free events near you!
Unfortunately there are no AUG chapters near you at the moment.Start an AUG