7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
0.001 Low
EPSS
Percentile
40.3%
Affected versions of Atlassian Jira Server and Data Center used versions of xmlsec that were vulnerable to CVE-2021-40690.
Affected versions:
Workaround:
Workaround steps:
Navigate to Jira installation directory
Navigate to subdirectory {{atlassian-jira/WEB-INF/lib}}
Localize file {{xmlsec-1.5.6.jar}}
Remove file {{xmlsec-1.5.6.jar}}
Restart node
Follow these steps for each node in Jira cluster.
{panel}
{panel:title=2. How to know if plugin is using xmlsec dependency.}
Nature of plugins allow them to use any library they want. Described method of finding out is not 100% perfect as there are multiple tools and ways of including library, but it should cover most common cases.
Unpack plugin jar/obr
Look for file {{xmlsec-1.5.X.jar}} or {{xmlsec.jar}} (where X is any number) in unpacked directory and subdirectories. If found, plugin is using vulnerable library
Look for file {{META-INF/MANIFEST.MF}} in unpacked directory
Open it and search for string {{{}org.apache.xml.security{}}}. If found, plugin is using vulnerable library
Look for file {{pom.xml}} in unpacked directory and subdirectories. If found, open file and look for element {{<dependency>}} which contains elements {{{}<artifactId>xmlsec</artifactId>{}}}, {{<artifactId>xmlsec</artifactId>}} and {{{}<version>X.Y.Z</version>{}}}, where {{X.Y.Z}} is any version described as vulnerable by CVE-2021-40690. If found, plugin is using vulnerable library.
{panel}
CPE | Name | Operator | Version |
---|---|---|---|
jira data center | le | 8.13.0 | |
jira data center | le | 8.20.0 | |
jira data center | le | 8.22.0 | |
jira data center | lt | 8.22.2 | |
jira data center | lt | 9.0.0 | |
jira data center | lt | 8.20.15 |
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
0.001 Low
EPSS
Percentile
40.3%