Community Announcements have moved! To stay up to date, please join the new Community Announcements group today. Learn more

×
Forums
Home Product Q&A Discussion groups Articles Ask a question Search
Learning
Events
Champions
Community
Forums
Home Product Q&A Discussion groups Articles Ask a question Search
Learning Events Champions
Forums
Home Product Q&A Discussion groups Articles Ask a question Search
Learning Events Champions

Forums

Articles
Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Product Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Security vulnerabilities related to Jira after running an audit check on our server

omar alashqar
omar alashqar
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
November 23, 2020


Can you please help us close the below vulnerabilities :

- Atlassian JIRA: Template injection in Jira Importers Plugin (CVE-2019-15001)
- JIRA Security Advisory 2019-07-10: Jira Server - Template injection in various resources
- Atlassian JIRA: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') (CVE-2020-14172)
- Atlassian JIRA: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') (CVE-2019-20409)
- Atlassian JIRA: URL Redirection to Untrusted Site ('Open Redirect') (CVE-2019-20901)
- Atlassian JIRA: Information Exposure (CVE-2019-20417)
- Atlassian JIRA: URL Redirection to Untrusted Site ('Open Redirect') (CVE-2019-11585)
- Atlassian JIRA: URL Redirection to Untrusted Site ('Open Redirect') (CVE-2019-11589)
- Atlassian JIRA: Server-Side Request Forgery (SSRF) (CVE-2019-8451)
- Atlassian JIRA: Unspecified Security Vulnerability (CVE-2019-20899)
- Atlassian JIRA: Improper Input Validation (CVE-2019-20413)
- Atlassian JIRA: Information Exposure (CVE-2019-20898)
- Atlassian JIRA: Incorrect Authorization (CVE-2020-14165)
- Atlassian JIRA: Server-Side Request Forgery (SSRF) (CVE-2019-20408)
- Atlassian JIRA: Improper Authentication (CVE-2019-20412)
- Atlassian JIRA: Information Exposure (CVE-2020-4028)
- Atlassian JIRA: Information Exposure (CVE-2019-20403)
- Atlassian JIRA: Incorrect Default Permissions (CVE-2019-14995)
- Atlassian JIRA: Improper Authorization (CVE-2019-8446)
- Atlassian JIRA: Permission Issues leading to Information Disclosure (CVE-2019-8445)
- Atlassian JIRA: User enumeration through the groupuserpicker api resource (CVE-2019-8449)
- Atlassian JIRA: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CVE-2019-20900)
- Atlassian JIRA: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CVE-2020-14173)
- Atlassian JIRA: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CVE-2020-4024)
- Atlassian JIRA: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CVE-2020-4025)
- Atlassian JIRA: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CVE-2019-20416)
- Atlassian JIRA: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CVE-2019-20414)
- Atlassian JIRA: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CVE-2020-4021)
- Atlassian JIRA: Unrestricted Upload of File with Dangerous Type (CVE-2019-20897)
- Atlassian JIRA: Unspecified Security Vulnerability (CVE-2019-20418)
- Atlassian JIRA: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CVE-2019-8450)
- Atlassian JIRA: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CVE-2019-8444)
- Atlassian JIRA: Incorrect Default Permissions (CVE-2019-20106)
- Atlassian JIRA: Missing Authorization (CVE-2019-15013)
- Atlassian JIRA: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CVE-2020-4022)
- Atlassian JIRA: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CVE-2020-14164)
- Atlassian JIRA: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CVE-2020-14169)
- Atlassian JIRA: Cross-Site Request Forgery (CSRF) (CVE-2019-20411)
- Atlassian JIRA: Cross-Site Request Forgery (CSRF) (CVE-2019-11588)
- Atlassian JIRA: Cross-Site Request Forgery (CSRF) (CVE-2019-20401)
- Atlassian JIRA: Cross-Site Request Forgery (CSRF) (CVE-2019-20405)
- Atlassian JIRA: Cross-Site Request Forgery (CSRF) (CVE-2019-14998)
- Atlassian JIRA: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CVE-2019-14996)
- Atlassian JIRA: Cross-Site Request Forgery (CSRF) (CVE-2019-11586)
- Atlassian JIRA: Cross-Site Request Forgery (CSRF) (CVE-2019-11587)
- Atlassian JIRA: Cross-Site Request Forgery (CSRF) (CVE-2019-8447)
- Atlassian JIRA: Untrusted Search Path (CVE-2019-20419)
- Atlassian JIRA: Improper Input Validation (CVE-2020-14174)
- Atlassian JIRA: Incorrect Authorization (CVE-2020-4029)
- Atlassian JIRA: Information Exposure (CVE-2019-20410)
- Atlassian JIRA: Missing Authorization (CVE-2019-15005)
- Atlassian JIRA: Cross-Site Request Forgery (CSRF) (CVE-2019-20098)
- Atlassian JIRA: Cross-Site Request Forgery (CSRF) (CVE-2019-20099)
- Atlassian JIRA: CSRF in Application Links plugin allows network enumeration (CVE-2019-20100)
- Atlassian JIRA: Information Exposure (CVE-2019-14997)

Answer
Watch
Like Be the first to like this
740 views

1 answer

1 accepted

1 vote
Answer accepted
Daniel Ebers
Daniel Ebers
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
November 23, 2020

Hi Omar,

whilst I haven't checked every single CVE you have listed the general recommendation is to upgrade to a recent version that then is not affected by a specific CVE anymore.

https://confluence.atlassian.com/adminjiraserver/upgrading-jira-applications-938846936.html

In case it would be a critical CVE it is also listed here along with mitigation options:https://www.atlassian.com/trust/security/advisories

Cheers,
Daniel

View More Comments
omar alashqar
omar alashqar
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
December 2, 2020

Hi Daniel,

Thank you for your suggestion, it actually worked, I did upgrade the Jira Core version and all Jira-related vulnerabilities have been resolved.

much appreciated,

Omar

Like
Reply

Suggest an answer

Log in or Sign up to answer
Jira
Jira
DEPLOYMENT TYPE
SERVER
TAGS
AUG Leaders

Atlassian Community Events

    See all events
    Community
    Forums
    FAQs Forums guidelines
    Learning
    About learning Resources
    Events
    Champions
    Copyright © 2025 Atlassian
    Privacy Policy Notice at Collection Terms Security