Lucene search
This script is Copyright (C) 2023-2024 and is owned by Tenable, Inc. or an Affiliate thereof.JIRA_JSDSERVER_14754.NASLHistoryDec 11, 2023 - 12:00 a.m.
Atlassian Jira Service Management Data Center and Server 4.20.x < 4.20.27 / 5.4.x < 5.4.11 (JSDSERVER-14754)
2023-12-1100:00:00
This script is Copyright (C) 2023-2024 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
6
atlassian jira service management
data center
server
jira service desk
vulnerability
parsing issue
protobuf-java
denial of service
advisory
cve-2022-3171
nessus
application version.
7.7 High
AI Score
Confidence
High
The version of Atlassian Jira Service Management Data Center and Server (Jira Service Desk) running on the remote host is affected by a vulnerability as referenced in the JSDSERVER-14754 advisory.
- A parsing issue with binary data in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above. (CVE-2022-3171)
Note that Nessus has not tested for this issue but has instead relied only on the application’s self-reported version number.
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##
include('compat.inc');
if (description)
{
script_id(186723);
script_version("1.2");
script_set_attribute(attribute:"plugin_modification_date", value:"2024/03/29");
script_cve_id("CVE-2022-3171");
script_xref(name:"IAVA", value:"2024-A-0175");
script_name(english:"Atlassian Jira Service Management Data Center and Server 4.20.x < 4.20.27 / 5.4.x < 5.4.11 (JSDSERVER-14754)");
script_set_attribute(attribute:"synopsis", value:
"The remote Atlassian Jira Service Management Data Center and Server (Jira Service Desk) host is missing a security
update.");
script_set_attribute(attribute:"description", value:
"The version of Atlassian Jira Service Management Data Center and Server (Jira Service Desk) running on the remote
host is affected by a vulnerability as referenced in the JSDSERVER-14754 advisory.
- A parsing issue with binary data in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6
and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated
embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between
mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend
updating to the versions mentioned above. (CVE-2022-3171)
Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
script_set_attribute(attribute:"see_also", value:"https://jira.atlassian.com/browse/JSDSERVER-14754");
script_set_attribute(attribute:"solution", value:
"Upgrade to Atlassian Jira Service Management Data Center and Server version 4.20.27, 5.4.11 or later.");
script_set_attribute(attribute:"agent", value:"all");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2022-3171");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_set_attribute(attribute:"exploit_available", value:"false");
script_set_attribute(attribute:"vuln_publication_date", value:"2022/10/12");
script_set_attribute(attribute:"patch_publication_date", value:"2023/10/09");
script_set_attribute(attribute:"plugin_publication_date", value:"2023/12/11");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"cpe:/a:atlassian:jira_service_desk");
script_set_attribute(attribute:"thorough_tests", value:"true");
script_set_attribute(attribute:"stig_severity", value:"I");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Misc.");
script_copyright(english:"This script is Copyright (C) 2023-2024 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("os_fingerprint.nasl", "jira_service_desk_installed_win.nbin", "jira_service_desk_installed_nix.nbin");
script_require_keys("installed_sw/JIRA Service Desk Application");
exit(0);
}
include('vcf.inc');
var app_info = vcf::combined_get_app_info(app:'JIRA Service Desk Application');
var constraints = [
{ 'min_version' : '4.20.0','fixed_version' : '4.20.27' },
{ 'min_version' : '5.4.0', 'fixed_version' : '5.4.11' },
{ 'min_version' : '5.5.1', 'fixed_version' : '5.5.2', 'fixed_display' : 'See vendor advisory' },
{ 'min_version' : '5.6.0', 'fixed_version' : '5.6.1', 'fixed_display' : 'See vendor advisory' },
{ 'min_version' : '5.7.0', 'fixed_version' : '5.7.1', 'fixed_display' : 'See vendor advisory' },
{ 'min_version' : '5.8.0', 'fixed_version' : '5.8.1', 'fixed_display' : 'See vendor advisory' },
{ 'min_version' : '5.9.0', 'fixed_version' : '5.9.1', 'fixed_display' : 'See vendor advisory' },
{ 'min_version' : '5.10.0', 'fixed_version' : '5.10.1', 'fixed_display' : 'See vendor advisory' }
];
vcf::check_version_and_report(
app_info:app_info,
constraints:constraints,
severity:SECURITY_HOLE
);
| Vendor | Product | Version | CPE |
|---|---|---|---|
| atlassian | jira_service_desk | cpe:/a:atlassian:jira_service_desk |
Related
redos
redos
ROS-20221020-02
2022-10-20 00:00:00
atlassian
atlassian
ibm
ibm
wolfi
wolfi
CVE-2022-3171 vulnerabilities
2024-05-04 21:07:06
cve
cve
cnvd
cnvd
Google protobuf-java denial of service vulnerability
2022-10-14 00:00:00
prion
prion
Design/Logic Flaw
2022-10-12 23:15:00
Design/Logic Flaw
2022-12-12 13:15:00
Code injection
2022-12-12 13:15:00
github
github
protobuf-java has a potential Denial of Service issue
2022-10-04 22:17:15
Protobuf Java vulnerable to Uncontrolled Resource Consumption
2022-12-12 15:30:33
Protobuf Java vulnerable to Uncontrolled Resource Consumption
2022-12-12 15:30:33
veracode
veracode
Denial Of Service (DoS)
2022-10-06 04:00:47
nessus
nessus
osv
osv
CVE-2022-3171
2022-10-12 23:15:09
protobuf-java has a potential Denial of Service issue
2022-10-04 22:17:15
CVE-2022-3510
2022-12-12 13:15:14
debiancve
debiancve
cgr
cgr
CVE-2022-3171 vulnerabilities
2024-05-04 21:06:41
redhatcve
redhatcve
CVE-2022-3171
2022-10-26 14:23:07
rubygems
rubygems
protobuf-java has a potential Denial of Service issue
2022-10-03 21:00:00
ubuntucve
ubuntucve
openvas
openvas
Fedora: Security Advisory for perl-Alien-ProtoBuf (FEDORA-2022-15729fa33d)
2023-04-28 00:00:00
Mageia: Security Advisory (MGASA-2023-0092)
2023-03-28 00:00:00
Fedora: Security Advisory for protobuf (FEDORA-2022-25f35ed634)
2022-12-18 00:00:00
fedora
fedora
[SECURITY] Fedora 37 Update: protobuf-3.19.6-1.fc37
2022-12-18 01:43:08
[SECURITY] Fedora 36 Update: protobuf-3.19.6-1.fc36
2023-04-27 01:30:33
[SECURITY] Fedora 36 Update: perl-Alien-ProtoBuf-0.09-17.fc36
2023-04-27 01:30:33
redhat
redhat
mageia
mageia
Updated protobuf packages fix security vulnerability
2023-03-19 01:16:28
gentoo
gentoo
protobuf-java: Denial of Service
2023-01-11 00:00:00
suse
suse
Security update for protobuf (important)
2022-11-09 00:00:00
freebsd
freebsd
MySQL -- Multiple vulnerabilities
2023-01-20 00:00:00
oracle
oracle
Oracle Critical Patch Update Advisory - October 2023
2023-10-17 00:00:00
Oracle Critical Patch Update Advisory - January 2023
2023-01-17 00:00:00
Oracle Critical Patch Update Advisory - July 2023
2023-07-18 00:00:00