Jira bundles a vulnerable version of atlassian-gadgets - CVE-2020-36232

The atlassian-gadgets plugin used in affected versions of Atlassian Jira Server and Data Center allows unexpected DNS lookups and requests to malicious servers via server side request forgery vulnerability.

The affected versions are before version 8.5.10, from version 8.6.0 before version 8.13.2, and from version 8.14.0 before version 8.14.1.
h3. Affected versions:

• version < 8.5.10
• 8.6.0 ≤ version < 8.13.2
• 8.14.0 ≤ version < 8.14.1

h4. Fixed versions:

• 8.5.10
• 8.13.2
• 8.14.1
• 8.15.0

See [https://ecosystem.atlassian.net/browse/AG-1532] for further details and or below -

Additional details from [https://ecosystem.atlassian.net/browse/AG-1532] -

The MessageBundleWhiteList class of atlassian-gadgets before version 4.2.37, from version 4.3.0 before 4.3.14, from version 4.3.2.0 before 4.3.2.4, from version 4.4.0 before 4.4.12, and from version 5.0.0 before 5.0.1 allowed unexpected DNS lookups and requests to arbitrary services as it incorrectly obtained application base url information from the executing http request which could be attacker controlled.

The following versions of atlassian-gadgets are affected:

• Versions before 4.2.37
• Versions from 4.3.0 before 4.3.14
• Versions from 4.3.2.0 before 4.3.2.4
• Versions from 4.4.0 before 4.4.12
• Version 5.0.0