Atlassian JIRA Privilege Escalation and Multiple Cross Site Scripting Vulnerabilities
BID:39485
Info
Atlassian JIRA Privilege Escalation and Multiple Cross Site Scripting Vulnerabilities
| Bugtraq ID: | 39485 |
| Class: | Unknown |
| CVE: |
CVE-2010-1164 CVE-2010-1165 |
| Remote: | Yes |
| Local: | No |
| Published: | Apr 14 2010 12:00AM |
| Updated: | Apr 13 2015 09:02PM |
| Credit: | These issues were discovered in the wild. |
| Vulnerable: |
Atlassian JIRA 4.0.2 Atlassian JIRA 4.0.1 Atlassian JIRA 3.13.5 Atlassian JIRA 3.13.4 Atlassian JIRA 3.13.3 Atlassian JIRA 3.13.2 Atlassian JIRA 3.13.1 Atlassian JIRA 3.12.3 Atlassian JIRA 3.12.2 Atlassian JIRA 3.12.1 Atlassian JIRA 3.12 Atlassian JIRA 4.1 Atlassian JIRA 4.0 Atlassian JIRA 3.13 |
| Not Vulnerable: | |
Discussion
Atlassian JIRA Privilege Escalation and Multiple Cross Site Scripting Vulnerabilities
Atlassian JIRA is prone to a remote privilege-escalation vulnerability and multiple cross-site scripting vulnerabilities.
Remote authenticated attackers can exploit the privilege-escalation issue to gain SYSTEM-level privileges, completely compromising affected computers.
Remote attackers can leverage the cross-site scripting vulnerabilities to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
Versions of JIRA 3.12 through 4.1 are vulnerable.
Atlassian JIRA is prone to a remote privilege-escalation vulnerability and multiple cross-site scripting vulnerabilities.
Remote authenticated attackers can exploit the privilege-escalation issue to gain SYSTEM-level privileges, completely compromising affected computers.
Remote attackers can leverage the cross-site scripting vulnerabilities to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
Versions of JIRA 3.12 through 4.1 are vulnerable.
Exploit / POC
Atlassian JIRA Privilege Escalation and Multiple Cross Site Scripting Vulnerabilities
To exploit cross-site scripting vulnerabilities, an attacker must entice an unsuspecting user into visiting a malicious URI.
These issues are being exploited in-the-wild.
To exploit cross-site scripting vulnerabilities, an attacker must entice an unsuspecting user into visiting a malicious URI.
These issues are being exploited in-the-wild.
Solution / Fix
Atlassian JIRA Privilege Escalation and Multiple Cross Site Scripting Vulnerabilities
Solution:
The vendor has released updates. Please see the references for more information.
Solution:
The vendor has released updates. Please see the references for more information.
References
Atlassian JIRA Privilege Escalation and Multiple Cross Site Scripting Vulnerabilities
References:
References:
- apache.org incident report for 04/09/2010 (Apache Infrastructure Team)
- Atlassian JIRA Homepage (Atlassian)
- JRA-20994 XSS Vulnerabilities in JIRA (Atlassian)
- JRA-20995 Privilege escalation vulnerability when administrator access is compr (Atlassian)