cnvd - cnvd-2019-22769

cnvd-2019-22769

Vulnerability from cnvd

Title: Atlassian JIRA服务器端请求伪造漏洞

Description:

Atlassian JIRA是澳大利亚Atlassian公司的一套缺陷跟踪管理系统。该系统主要用于对工作中各类问题、缺陷进行跟踪管理。

Atlassian JIRA中的VerifyPopServerConnection resource存在服务器端请求伪造漏洞，远程攻击者可利用该漏洞确定所存在的内部主机和开放的端口并可能获取内部网络资源的服务信息。

Severity: 中

Patch Name: Atlassian JIRA服务器端请求伪造漏洞的补丁

Patch Description:

Atlassian JIRA是澳大利亚Atlassian公司的一套缺陷跟踪管理系统。该系统主要用于对工作中各类问题、缺陷进行跟踪管理。

Atlassian JIRA中的VerifyPopServerConnection resource存在服务器端请求伪造漏洞，远程攻击者可利用该漏洞确定所存在的内部主机和开放的端口并可能获取内部网络资源的服务信息。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description:

厂商已发布了漏洞修复程序，请及时关注更新： https://jira.atlassian.com/browse/JRASERVER-68527

Reference: https://jira.atlassian.com/browse/JRASERVER-68527

Impacted products

Name
['Atlassian JIRA 7.7.，<7.7.5', 'Atlassian JIRA 7.8.，<7.8.5', 'Atlassian JIRA 7.9.，<7.9.3', 'Atlassian JIRA 7.10.，<7.10.3', 'Atlassian JIRA 7.11.，<7.11.3', 'Atlassian JIRA 7.12.，<7.12.3', 'Atlassian JIRA <7.13.1', 'Atlassian JIRA <7.6.10']

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2018-13404",
      "cveUrl": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-13404"
    }
  },
  "description": "Atlassian JIRA\u662f\u6fb3\u5927\u5229\u4e9aAtlassian\u516c\u53f8\u7684\u4e00\u5957\u7f3a\u9677\u8ddf\u8e2a\u7ba1\u7406\u7cfb\u7edf\u3002\u8be5\u7cfb\u7edf\u4e3b\u8981\u7528\u4e8e\u5bf9\u5de5\u4f5c\u4e2d\u5404\u7c7b\u95ee\u9898\u3001\u7f3a\u9677\u8fdb\u884c\u8ddf\u8e2a\u7ba1\u7406\u3002\n\nAtlassian JIRA\u4e2d\u7684VerifyPopServerConnection resource\u5b58\u5728\u670d\u52a1\u5668\u7aef\u8bf7\u6c42\u4f2a\u9020\u6f0f\u6d1e\uff0c\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u786e\u5b9a\u6240\u5b58\u5728\u7684\u5185\u90e8\u4e3b\u673a\u548c\u5f00\u653e\u7684\u7aef\u53e3\u5e76\u53ef\u80fd\u83b7\u53d6\u5185\u90e8\u7f51\u7edc\u8d44\u6e90\u7684\u670d\u52a1\u4fe1\u606f\u3002",
  "discovererName": "SecurityB",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://jira.atlassian.com/browse/JRASERVER-68527",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2019-22769",
  "openTime": "2019-07-16",
  "patchDescription": "Atlassian JIRA\u662f\u6fb3\u5927\u5229\u4e9aAtlassian\u516c\u53f8\u7684\u4e00\u5957\u7f3a\u9677\u8ddf\u8e2a\u7ba1\u7406\u7cfb\u7edf\u3002\u8be5\u7cfb\u7edf\u4e3b\u8981\u7528\u4e8e\u5bf9\u5de5\u4f5c\u4e2d\u5404\u7c7b\u95ee\u9898\u3001\u7f3a\u9677\u8fdb\u884c\u8ddf\u8e2a\u7ba1\u7406\u3002\r\n\r\nAtlassian JIRA\u4e2d\u7684VerifyPopServerConnection resource\u5b58\u5728\u670d\u52a1\u5668\u7aef\u8bf7\u6c42\u4f2a\u9020\u6f0f\u6d1e\uff0c\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u786e\u5b9a\u6240\u5b58\u5728\u7684\u5185\u90e8\u4e3b\u673a\u548c\u5f00\u653e\u7684\u7aef\u53e3\u5e76\u53ef\u80fd\u83b7\u53d6\u5185\u90e8\u7f51\u7edc\u8d44\u6e90\u7684\u670d\u52a1\u4fe1\u606f\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Atlassian JIRA\u670d\u52a1\u5668\u7aef\u8bf7\u6c42\u4f2a\u9020\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": [
      "Atlassian JIRA 7.7.*\uff0c\u003c7.7.5",
      "Atlassian JIRA 7.8.*\uff0c\u003c7.8.5",
      "Atlassian JIRA 7.9.*\uff0c\u003c7.9.3",
      "Atlassian JIRA 7.10.*\uff0c\u003c7.10.3",
      "Atlassian JIRA 7.11.*\uff0c\u003c7.11.3",
      "Atlassian JIRA 7.12.*\uff0c\u003c7.12.3",
      "Atlassian JIRA \u003c7.13.1",
      "Atlassian JIRA \u003c7.6.10"
    ]
  },
  "referenceLink": "https://jira.atlassian.com/browse/JRASERVER-68527",
  "serverity": "\u4e2d",
  "submitTime": "2019-02-15",
  "title": "Atlassian JIRA\u670d\u52a1\u5668\u7aef\u8bf7\u6c42\u4f2a\u9020\u6f0f\u6d1e"
}

CVE-2018-13404 (GCVE-0-2018-13404)

Vulnerability from cvelistv5

Published

2019-02-13 18:00

Modified

2024-09-16 17:28

Severity ?

CWE

Server-Side Request Forgery (SSRF)

Summary

The VerifyPopServerConnection resource in Atlassian Jira before version 7.6.10, from version 7.7.0 before version 7.7.5, from version 7.8.0 before version 7.8.5, from version 7.9.0 before version 7.9.3, from version 7.10.0 before version 7.10.3, from version 7.11.0 before version 7.11.3, from version 7.12.0 before version 7.12.3, and from version 7.13.0 before version 7.13.1 allows remote attackers who have administrator rights to determine the existence of internal hosts & open ports and in some cases obtain service information from internal network resources via a Server Side Request Forgery (SSRF) vulnerability.

References

▼	URL	Tags
	https://jira.atlassian.com/browse/JRASERVER-68527	x_refsource_CONFIRM

Impacted products

	Vendor	Product	Version
	Atlassian	Jira	Version: unspecified < 7.6.10 Version: 7.7.0 < unspecified Version: unspecified < 7.7.5 Version: 7.8.0 < unspecified Version: unspecified < 7.8.5 Version: 7.9.0 < unspecified Version: unspecified < 7.9.3 Version: 7.10.0 < unspecified Version: unspecified < 7.10.3 Version: 7.11.0 < unspecified Version: unspecified < 7.11.3 Version: 7.12.0 < unspecified Version: unspecified < 7.12.3 Version: 7.13.0 < unspecified Version: unspecified < 7.13.1

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T09:00:35.190Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://jira.atlassian.com/browse/JRASERVER-68527"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Jira",
          "vendor": "Atlassian",
          "versions": [
            {
              "lessThan": "7.6.10",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            },
            {
              "lessThan": "unspecified",
              "status": "affected",
              "version": "7.7.0",
              "versionType": "custom"
            },
            {
              "lessThan": "7.7.5",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            },
            {
              "lessThan": "unspecified",
              "status": "affected",
              "version": "7.8.0",
              "versionType": "custom"
            },
            {
              "lessThan": "7.8.5",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            },
            {
              "lessThan": "unspecified",
              "status": "affected",
              "version": "7.9.0",
              "versionType": "custom"
            },
            {
              "lessThan": "7.9.3",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            },
            {
              "lessThan": "unspecified",
              "status": "affected",
              "version": "7.10.0",
              "versionType": "custom"
            },
            {
              "lessThan": "7.10.3",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            },
            {
              "lessThan": "unspecified",
              "status": "affected",
              "version": "7.11.0",
              "versionType": "custom"
            },
            {
              "lessThan": "7.11.3",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            },
            {
              "lessThan": "unspecified",
              "status": "affected",
              "version": "7.12.0",
              "versionType": "custom"
            },
            {
              "lessThan": "7.12.3",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            },
            {
              "lessThan": "unspecified",
              "status": "affected",
              "version": "7.13.0",
              "versionType": "custom"
            },
            {
              "lessThan": "7.13.1",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        }
      ],
      "datePublic": "2019-01-18T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "The VerifyPopServerConnection resource in Atlassian Jira before version 7.6.10, from version 7.7.0 before version 7.7.5, from version 7.8.0 before version 7.8.5, from version 7.9.0 before version 7.9.3, from version 7.10.0 before version 7.10.3, from version 7.11.0 before version 7.11.3, from version 7.12.0 before version 7.12.3, and from version 7.13.0 before version 7.13.1 allows remote attackers who have administrator rights to determine the existence of internal hosts \u0026 open ports and in some cases obtain service information from internal network resources via a Server Side Request Forgery (SSRF) vulnerability."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Server-Side Request Forgery (SSRF)",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2019-02-13T17:57:01",
        "orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
        "shortName": "atlassian"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://jira.atlassian.com/browse/JRASERVER-68527"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security@atlassian.com",
          "DATE_PUBLIC": "2019-01-18T00:00:00",
          "ID": "CVE-2018-13404",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Jira",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c",
                            "version_value": "7.6.10"
                          },
                          {
                            "version_affected": "\u003e=",
                            "version_value": "7.7.0"
                          },
                          {
                            "version_affected": "\u003c",
                            "version_value": "7.7.5"
                          },
                          {
                            "version_affected": "\u003e=",
                            "version_value": "7.8.0"
                          },
                          {
                            "version_affected": "\u003c",
                            "version_value": "7.8.5"
                          },
                          {
                            "version_affected": "\u003e=",
                            "version_value": "7.9.0"
                          },
                          {
                            "version_affected": "\u003c",
                            "version_value": "7.9.3"
                          },
                          {
                            "version_affected": "\u003e=",
                            "version_value": "7.10.0"
                          },
                          {
                            "version_affected": "\u003c",
                            "version_value": "7.10.3"
                          },
                          {
                            "version_affected": "\u003e=",
                            "version_value": "7.11.0"
                          },
                          {
                            "version_affected": "\u003c",
                            "version_value": "7.11.3"
                          },
                          {
                            "version_affected": "\u003e=",
                            "version_value": "7.12.0"
                          },
                          {
                            "version_affected": "\u003c",
                            "version_value": "7.12.3"
                          },
                          {
                            "version_affected": "\u003e=",
                            "version_value": "7.13.0"
                          },
                          {
                            "version_affected": "\u003c",
                            "version_value": "7.13.1"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Atlassian"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "The VerifyPopServerConnection resource in Atlassian Jira before version 7.6.10, from version 7.7.0 before version 7.7.5, from version 7.8.0 before version 7.8.5, from version 7.9.0 before version 7.9.3, from version 7.10.0 before version 7.10.3, from version 7.11.0 before version 7.11.3, from version 7.12.0 before version 7.12.3, and from version 7.13.0 before version 7.13.1 allows remote attackers who have administrator rights to determine the existence of internal hosts \u0026 open ports and in some cases obtain service information from internal network resources via a Server Side Request Forgery (SSRF) vulnerability."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Server-Side Request Forgery (SSRF)"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://jira.atlassian.com/browse/JRASERVER-68527",
              "refsource": "CONFIRM",
              "url": "https://jira.atlassian.com/browse/JRASERVER-68527"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
    "assignerShortName": "atlassian",
    "cveId": "CVE-2018-13404",
    "datePublished": "2019-02-13T18:00:00Z",
    "dateReserved": "2018-07-06T00:00:00",
    "dateUpdated": "2024-09-16T17:28:16.895Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted