9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.008 Low
EPSS
Percentile
80.8%
h2. Summary of Vulnerability
Certain versions of Jira Service Management Server & Data Center were affected by CVE-2019-13990. The affected versions contained vulnerable versions of Terracotta Quartz Scheduler which allowed authenticated attackers to initiate an XML External Entity injection attack using job descriptions.
Atlassian has committed to issuing critical advisories based on the NVD vulnerability score, in this case the CVSS for this third party CVE is critical (9.8), but this score doesnβt always account for the context in which a vulnerable component is used in our software. Unauthenticated attackers without local access to the system are unable to exploit this vulnerability. As such, our internal assessment of this vulnerability is scored as high severity.
This critical severity XXE (XML External Entity Injection) vulnerability known as CVE-2019-13990 affects versions including and after 4.20.0 of Jira Service Management Data Center and Server. Versions outside of the support window (i.e. versions that have reached End of Life) may also be affected, so Atlassian recommends you upgrade to a fixed LTS version or later.
h2. Affected Versions
||Product||Affected Versions||
|Jira Service Management Data Center
Jira Service Management Server| - 4.20.0
Atlassian recommends that you upgrade your instance to one of the versions listed in the βFixed Versionsβ table section of this ticket. For full descriptions of the above versions of Jira Service Management Data Center and Server, see the [release notes|https://confluence.atlassian.com/servicemanagement/jira-service-management-release-notes-780083086.html]. You can download the latest version of Jira Service Management Data Center and Server from the [download center|https://www.atlassian.com/software/jira/service-management/download-archives].
h2. Mitigation
If you are unable to upgrade to a fixed version immediately, you can temporarily remediate this vulnerability by disabling Assets on your Jira Service Management instance by following these instructions. This has the consequence of disabling Assets functionality. [https://confluence.atlassian.com/x/hHLSQ]
For additional details, please see full advisory here: [https://confluence.atlassian.com/pages/viewpage.action?pageId=1295385959]
h2. Acknowledgments
This vulnerability was discovered and reported via our Atlassian (Internal) program.
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.008 Low
EPSS
Percentile
80.8%