Lucene search

K
atlassianSecurity-metrics-botJSWSERVER-20705
HistorySep 23, 2020 - 9:05 p.m.

JSW Server not vulnerable to an Insecure Deserialization issue in Jackson Databind - CVE-2018-14720

2020-09-2321:05:08
security-metrics-bot
jira.atlassian.com
24
jira software
server update
insecure deserialization

CVSS2

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS

0.008

Percentile

82.2%

Scanners may falsely flag some versions of Jira Software Server before 8.5.5 as vulnerable to an Insecure Deserialization issue in Jackson Databind (CVE-2018-14720). This vulnerability in a transitive dependency was being flagged because Jira Software assumed the version of applinks provided by Jira Core was an earlier version of applinks but Jira Core was actually providing a newer version that was not vulnerable to CVE-2018-14720. Jira Software Server has been updated to assume that Jira Core is providing the newer version of applinks so that scanners should not flag this issue in versions after 8.5.5.

Affected configurations

Vulners
Node
atlassianjira_software_data_centerRange8.5.0
OR
atlassianjira_software_data_centerRange8.5.1
OR
atlassianjira_software_data_centerRange8.5.2
OR
atlassianjira_software_data_centerRange8.5.3
OR
atlassianjira_software_data_centerRange8.5.4
VendorProductVersionCPE
atlassianjira_software_data_center*cpe:2.3:a:atlassian:jira_software_data_center:*:*:*:*:*:*:*:*

CVSS2

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS

0.008

Percentile

82.2%