Forums
Home Product Q&A Discussion groups Articles Ask a question Search
Learning
Events
Champions

Forums

Articles
Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Product Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Why is LTS version 8.13.6 still shows the same vulnerabilities as with 8.13.2

Paul Bien
Paul Bien May 12, 2021

We were previously on LTS version 8.13.2 but we got some vulnerabilities for the said version. It was stated to upgrade to a higher version in order to remediate the vulnerabilities so we upgraded to the latest LTS version 8.13.6. Once we are already in LTS version 8.13.6, same vulnerabilities are still showing up as it seems the latest LTS version 8.13.6 doesn't have the fix for the vulnerabilities. Can anyone please confirm if the below vulnerabilities are really fixed in the latest LTS version 8.13.6?

- atlassian-jira-cve-2021-26070
- atlassian-jira-cve-2020-36237
- atlassian-jira-cve-2020-29453
- atlassian-jira-cve-2020-36235
- atlassian-jira-cve-2020-29451
- atlassian-jira-cve-2021-26069
- atlassian-jira-cve-2020-36236
- atlassian-jira-cve-2020-36234
- atlassian-jira-cve-2020-36286
- atlassian-jira-cve-2020-36238
- atlassian-jira-cve-2020-36288
- atlassian-jira-cve-2021-26075
- atlassian-jira-cve-2021-26071
- atlassian-jira-cve-2021-26076

All of these vulnerabilities were showing on our previous LTS version 8.13.2 but are also still showing on our current setup which is on the latest LTS version 8.13.6. Thank you!

Answer
Watch
Like Amol Dongare likes this
718 views

1 answer

1 accepted

0 votes
Answer accepted
Nic Brough -Adaptavist-
Nic Brough -Adaptavist-
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
May 12, 2021

The simple answer is that Atlassian have not fixed them.

Without reading each one, I can't tell you if this is the exact case, but there are several places that the security problems may occur - Jira itself of course, but also the Tomcat it's running on, the Java it is using, some of the libraries Jira or Tomcat are using, and sometimes even the apps loaded into Jira (although those cves are usually recorded against the app rather than Jira and are the responsibility of the authors more than Atlassian)

Atlassian do not commit to fixing every cve every time one is raised.  They're all considered for development, but not all will make the cut on every point release, and there's all sorts of reasons for that, not least the complexity of moving up a Tomcat version, a Java version or upgrading a library for a fix - it's a complex web of dependencies and reliances, and those are not always minor changes that you can get done in one go.

View More Comments
Paul Bien
Paul Bien May 12, 2021

Hi Nic,

Thanks for the response!

The mentioned vulnerabilities are Jira/Atlassian specific vulnerabilities and most of these vulnerabilities, if not all, are recommending to upgrade to a higher version than 8.13.2 to remediate the vulnerabilities. Also, similar reports to this also states the versions that are affected by the vulnerabilities and those that are not so we went to the latest LTS version 8.13.6 as most of these vulnerabilities, if not all, only affects versions lower than 8.13.3 for LTS. Now we are wondering why version 8.13.6 is still showing these vulnerabilities. You said that they may have not fixed them yet but it is already in their recommendation which version to go to for the fix so it is kinda misleading. Thanks!

Like
Nic Brough -Adaptavist-
Nic Brough -Adaptavist-
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
May 12, 2021

What do you mean by "still showing"? 

Like
Paul Bien
Paul Bien May 12, 2021

Hi Nic,

Let's use atlassian-jira-cve-2021-26070 as an example (part of the vulnerabilities I listed above). The description for the said vulnerability is "Affected versions of Atlassian Jira Server and Data Center allow remote attackers to evade behind-the-firewall protection of app-linked resources via a Broken Authentication vulnerability in the `makeRequest` gadget resource. The affected versions are before version 8.13.3, and from version 8.14.0 before 8.14.1." As said, we upgraded to version 8.13.6 which should no longer be affected by the said vulnerability based on the description but on our latest vulnerability scan, the said vulnerability is still showing as a vulnerability for our Jira even though our Jira is already in version 8.13.6. Thanks!

Like
Nic Brough -Adaptavist-
Nic Brough -Adaptavist-
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
May 12, 2021

I'd question why your scans are mis-reporting

Like
Paul Bien
Paul Bien May 12, 2021

Hi Nic,

That's the plan but before we go there, we want to have a confirmation from Atlassian first if these vulnerabilities are really fixed in version 8.13.6 so we can use it to question our scans which will lead back to my original question above, "Can anyone please confirm if the listed vulnerabilities are really fixed in the latest LTS version 8.13.6?". Thanks!

Like
Nic Brough -Adaptavist-
Nic Brough -Adaptavist-
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
May 12, 2021

Ok, check the linked Issues in Atlassian's Jira for each one you are worried about (the random cve I picked to look at had a linked issue in there) - that's the source of "is it really done" that Atlassian would quote at you anyway.

Like
Paul Bien
Paul Bien May 12, 2021

Hi Nic,

So for the vulnerability used as an example above, the below should already be a good evidence that version 8.13.6 should have been fixed already?

image (1).png

Like
Nic Brough -Adaptavist-
Nic Brough -Adaptavist-
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
May 12, 2021

Yes, that's what Atlassian will point you two if you asked them directly.

Like
Paul Bien
Paul Bien May 12, 2021

Ok, thank you very much Nic for your time and replies!

Like
Reply

Suggest an answer

Log in or Sign up to answer
Jira
Jira
DEPLOYMENT TYPE
SERVER
VERSION
8.13.6
TAGS
AUG Leaders

Atlassian Community Events

    See all events
    Community
    Forums
    FAQs Forums guidelines
    Learning
    About learning Resources
    Events
    Champions
    Copyright © 2025 Atlassian
    Privacy Policy Terms Security
    Welcome illustration

    Welcome to the new Atlassian Community

    Online forums and learning are now in one easy-to-use experience.

    By continuing, you accept the updated Community Terms of Use and acknowledge the Privacy Policy. Your public name, photo, and achievements may be publicly visible and available in search engines.