Security Features in Automation for Jira

#VU48760 Security Features in Automation for Jira

Published: 2020-12-01 | Updated: 2020-12-02

Vulnerability identifier: #VU48760

Vulnerability risk: Medium

CVSSv3.1: 4.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-14193

CWE-ID: CWE-254

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Automation for Jira
Other software / Other software solutions

Vendor: Atlassian

Description

The vulnerability allows a remote attacker to bypass security rescrictions on the target system.

The vulnerability exists due to a template injection flaw. A remote authenticated attacker can read and render files as mustache templates in files inside the WEB-INF/classes & /jira/bin directories.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Automation for Jira: All versions

External links
http://jira.atlassian.com/browse/JIRAAUTOSERVER-185

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Security Features in Atlassian Automation for Jira