Community resources
Community resources
Community resources
I am getting the BDSA-2021-0710 (CVE-2020-13936) vulnerabilty alert
I am developing plugin for JIRA on premise version 10.x.
I am getting the security vulnerability BDSA-2021-0710 CVE-2020-13936.
This is coming from apache velocity 1.6.4 - atlassian-36.
Below is dependency tree :
[INFO] +- com.atlassian.jira:jira-api:jar:10.0.0:provided
[INFO] | +- com.atlassian.annotations:atlassian-annotations:jar:5.0.1:provided (version managed from 5.0.1)
[INFO] | +- com.atlassian.ofbiz:entityengine-share:jar:4.0.0:provided (version managed from 4.0.0)
[INFO] | | \- xerces:xercesImpl:jar:2.12.2:provided (version managed from 2.12.2)
[INFO] | | \- xml-apis:xml-apis:jar:1.4.01:provided (version managed from 1.4.01)
[INFO] | +- com.atlassian.ofbiz:entityengine:jar:4.0.0:provided (version managed from 4.0.0)
[INFO] | | \- jakarta.transaction:jakarta.transaction-api:jar:1.3.3:provided (version managed from 1.3.3)
[INFO] | +- com.atlassian.collectors:atlassian-collectors-util:jar:1.1:provided (version managed from 1.1)
[INFO] | +- opensymphony:webwork:jar:1.4-atlassian-31:provided (version managed from 1.4-atlassian-31)
[INFO] | | \- com.atlassian.html:atlassian-html-encoder:jar:1.5:provided (version managed from 1.4)
[INFO] | +- webwork:pell-multipart-request:jar:1.31.0:provided
[INFO] | +- com.atlassian.core:atlassian-core-logging:jar:9.0.0:provided (version managed from 9.0.0)
[INFO] | +- com.atlassian.core:atlassian-core-user:jar:9.0.0:provided (version managed from 9.0.0)
[INFO] | | +- com.atlassian.core:atlassian-core:jar:9.0.0:provided (version managed from 9.0.0)
[INFO] | | | \- (opensymphony:propertyset:jar:1.5:provided - omitted for duplicate)
[INFO] | | \- (opensymphony:propertyset:jar:1.5:provided - omitted for duplicate)
[INFO] | +- com.atlassian.core:atlassian-core-thumbnail:jar:9.0.0:provided (version managed from 9.0.0)
[INFO] | | +- (com.atlassian.core:atlassian-core:jar:9.0.0:provided - version managed from 9.0.0; omitted for duplicate)
[INFO] | | \- com.twelvemonkeys.imageio:imageio-core:jar:3.8.2:provided
[INFO] | | +- com.twelvemonkeys.common:common-lang:jar:3.8.2:provided
[INFO] | | +- com.twelvemonkeys.common:common-io:jar:3.8.2:provided
[INFO] | | | \- (com.twelvemonkeys.common:common-lang:jar:3.8.2:provided - omitted for duplicate)
[INFO] | | \- com.twelvemonkeys.common:common-image:jar:3.8.2:provided
[INFO] | | +- (com.twelvemonkeys.common:common-lang:jar:3.8.2:provided - omitted for duplicate)
[INFO] | | \- (com.twelvemonkeys.common:common-io:jar:3.8.2:provided - omitted for duplicate)
[INFO] | +- com.atlassian.extras:atlassian-extras:jar:3.4.6:provided (version managed from 3.4.6)
[INFO] | | +- (commons-codec:commons-codec:jar:1.16.1:provided - version managed from 1.11; omitted for duplicate)
[INFO] | | \- com.atlassian.extras:atlassian-extras-key-manager:jar:3.4.6:provided (version managed from 3.4.6)
[INFO] | | +- com.atlassian.extras:atlassian-extras-common:jar:3.4.6:provided (version managed from 3.4.6)
[INFO] | | | \- com.atlassian.extras:atlassian-extras-api:jar:3.4.6:provided (version managed from 3.4.6)
[INFO] | | \- (commons-codec:commons-codec:jar:1.16.1:provided - version managed from 1.11; omitted for duplicate)
[INFO] | +- com.atlassian.velocity:atlassian-velocity:jar:1.4:provided (version managed from 1.4)
[INFO] | | +- (com.atlassian.core:atlassian-core:jar:9.0.0:provided - version managed from 4.6.0; omitted for duplicate)
[INFO] | | +- (org.apache.commons:commons-lang3:jar:3.14.0:provided - version managed from 3.12.0; omitted for duplicate)
[INFO] | | +- org.apache.commons:commons-text:jar:1.11.0:provided (version managed from 1.9)
[INFO] | | | \- (org.apache.commons:commons-lang3:jar:3.14.0:provided - version managed from 3.13.0; omitted for duplicate)
[INFO] | | +- (org.apache.velocity:velocity:jar:1.6.4-atlassian-36:provided - version managed from 1.6.4-atlassian-7; omitted for duplicate)
[INFO] | | \- opensymphony:oscore:jar:2.2.7-atlassian-1:provided
[INFO] | +- org.apache.velocity:velocity:jar:1.6.4-atlassian-36:provided (version managed from 1.6.4-atlassian-36)
[INFO] | | +- commons-collections:commons-collections:jar:3.2.2:provided (version managed from 3.2.2)
[INFO] | | +- (org.apache.commons:commons-lang3:jar:3.14.0:provided - version managed from 3.12.0; omitted for duplicate)
[INFO] | | +- (org.apache.commons:commons-text:jar:1.11.0:provided - version managed from 1.10.0; omitted for duplicate)
[INFO] | | \- (oro:oro:jar:2.0.8:provided - version managed from 2.0.8; omitted for duplicate)
1 answer
Hi @atripathi3 , welcome to the Community!
According to what I can find, that CVE impacts Atlassian's Bitbucket products. I don't see any mention of Jira.
https://jira.atlassian.com/browse/BSERV-14568
Either way, I would recommend upgrading Bitbucket if you have it, and upgrading Jira as well, to the latest supported version.
Jira Data Center recently released version 10.6, which you can find notes on here: https://confluence.atlassian.com/jirasoftware/jira-software-10-6-x-release-notes-1541080745.html
If that doesn't resolve the issue, I would recommend reaching out directly to Atlassian Support via their support portal at support.atlassian.com.
Hope that helps!
Robert
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.