SB2019121831 - Multiple vulnerabilities in Atlassian JIRA

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) Open redirect (CVE-ID: CVE-2019-20901)

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

The login.jsp resource in Jira before version 8.5.2, and from version 8.6.0 before version 8.6.1 allows remote attackers to redirect users to a different website which they may use as part of performing a phishing attack via an open redirect in the os_destination parameter.

2) Missing Authorization (CVE-ID: CVE-2019-15013)

The vulnerability allows a remote authenticated user to manipulate data.

The WorkflowResource class removeStatus method in Jira before version 7.13.12, from version 8.0.0 before version 8.4.3, and from version 8.5.0 before version 8.5.2 allows authenticated remote attackers who do not have project administration access to remove a configured issue status from a project via a missing authorisation check.

Remediation

Install update from vendor's website.

References

• https://jira.atlassian.com/browse/JRASERVER-70408
• https://jira.atlassian.com/browse/JRASERVER-70405