XXE (XML External Entity Injection) in Jira Service Management Data Center and Server - CVE-2019-13990

h2. Summary of Vulnerability

Certain versions of Jira Service Management Server & Data Center were affected by CVE-2019-13990. The affected versions contained vulnerable versions of Terracotta Quartz Scheduler which allowed authenticated attackers to initiate an XML External Entity injection attack using job descriptions.

Atlassian has committed to issuing critical advisories based on the NVD vulnerability score, in this case the CVSS for this third party CVE is critical (9.8), but this score doesn’t always account for the context in which a vulnerable component is used in our software. Unauthenticated attackers without local access to the system are unable to exploit this vulnerability. As such, our internal assessment of this vulnerability is scored as high severity.

This critical severity XXE (XML External Entity Injection) vulnerability known as CVE-2019-13990 affects versions including and after 4.20.0 of Jira Service Management Data Center and Server. Versions outside of the support window (i.e. versions that have reached End of Life) may also be affected, so Atlassian recommends you upgrade to a fixed LTS version or later.
h2. Affected Versions
||Product||Affected Versions||
|Jira Service Management Data Center
Jira Service Management Server| - 4.20.0

• 4.20.1
• 4.20.2
• 4.20.3
• 4.20.4
• 4.20.5
• 4.20.6
• 4.20.7
• 4.20.8
• 4.20.9
• 4.20.10
• 4.20.11
• 4.20.12
• 4.20.13
• 4.20.14
• 4.20.15
• 4.20.16
• 4.20.17
• 4.20.18
• 4.20.19
• 4.20.20
• 4.20.21
• 4.20.22
• 4.20.23
• 4.20.24
• 4.20.25
• 4.21.0
• 4.21.1
• 4.22.0
• 4.22.1
• 4.22.2
• 4.22.3
• 4.22.4
• 4.22.6
• 5.0.0
• 5.1.0
• 5.1.1
• 5.2.0
• 5.2.1
• 5.3.0
• 5.3.1
• 5.3.2
• 5.3.3
• 5.4.0
• 5.4.1
• 5.4.2
• 5.4.3
• 5.4.4
• 5.4.5
• 5.4.6
• 5.4.7
• 5.4.8
• 5.4.9
• 5.5.1
• 5.6.0
• 5.7.0
• 5.7.1
• 5.8.0
• 5.8.1
• 5.9.0
• 5.10.0|
  h2. Fixed Versions
  ||Product||Fixed Versions||
  |Jira Service Management Data Center
  Jira Service Management Server| - 4.20.26 or later
• 5.4.10 or later
• 5.7.2 or later
• 5.8.2 or later
• 5.9.2 or later
• 5.10.1 or later|
  h2. What You Need to Do

Atlassian recommends that you upgrade your instance to one of the versions listed in the “Fixed Versions” table section of this ticket. For full descriptions of the above versions of Jira Service Management Data Center and Server, see the [release notes|https://confluence.atlassian.com/servicemanagement/jira-service-management-release-notes-780083086.html]. You can download the latest version of Jira Service Management Data Center and Server from the [download center|https://www.atlassian.com/software/jira/service-management/download-archives].
h2. Mitigation

If you are unable to upgrade to a fixed version immediately, you can temporarily remediate this vulnerability by disabling Assets on your Jira Service Management instance by following these instructions. This has the consequence of disabling Assets functionality. [https://confluence.atlassian.com/x/hHLSQ]

For additional details, please see full advisory here: [https://confluence.atlassian.com/pages/viewpage.action?pageId=1295385959]
h2. Acknowledgments

This vulnerability was discovered and reported via our Atlassian (Internal) program.