Vulnerabilities > CVE-2019-11583 - Unspecified vulnerability in Atlassian Jira

047910
CVSS 4.0 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
SINGLE
Confidentiality impact
NONE
Integrity impact
NONE
Availability impact
PARTIAL
network
low complexity
atlassian
nessus

Summary

The issue searching component in Jira before version 8.1.0 allows remote attackers to deny access to Jira service via denial of service vulnerability in issue search when ordering by "Epic Name".

Vulnerable Configurations

Part Description Count
Application
Atlassian
474

Nessus

NASL familyCGI abuses
NASL idJIRA_CVE-2019_11583.NASL
descriptionAccording to its self-reported version number, the instance of Atlassian JIRA hosted on the remote web server is potentially affected by a unspecified flaw in
last seen2020-06-01
modified2020-06-02
plugin id128326
published2019-08-29
reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
sourcehttps://www.tenable.com/plugins/nessus/128326
titleAtlassian JIRA < 7.13.4 / 8.0.x < 8.1.0 Epic Name DoS (SB19-182)
code
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(128326);
  script_version("1.4");
  script_set_attribute(attribute:"plugin_modification_date", value:"2020/07/28");

  script_cve_id("CVE-2019-11583");
  script_bugtraq_id(108901);

  script_name(english:"Atlassian JIRA < 7.13.4 / 8.0.x < 8.1.0 Epic Name DoS (SB19-182)");

  script_set_attribute(attribute:"synopsis", value:
"The remote web server hosts a web application that is potentially 
affected by denial of service vulnerability.");
  script_set_attribute(attribute:"description", value:
"According to its self-reported version number, the instance of
Atlassian JIRA hosted on the remote web server is potentially
affected by a unspecified flaw in 'Epic Name' ordering operations. A
remote, authenticated attacker could cause a denial of service.");
  script_set_attribute(attribute:"see_also", value:"https://jira.atlassian.com/browse/JSWSERVER-20111");
  script_set_attribute(attribute:"see_also", value:"https://www.us-cert.gov/ncas/bulletins/SB19-182");
  script_set_attribute(attribute:"solution", value:
"Upgrade to Atlassian JIRA version 7.13.4 / 8.1.0 or later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:N/I:N/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-11583");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");

  script_set_attribute(attribute:"vuln_publication_date", value:"2019/06/23");
  script_set_attribute(attribute:"patch_publication_date", value:"2019/06/23");
  script_set_attribute(attribute:"plugin_publication_date", value:"2019/08/29");

  script_set_attribute(attribute:"plugin_type", value:"combined");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:atlassian:jira");
  script_set_attribute(attribute:"agent", value:"all");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"CGI abuses");

  script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("jira_detect.nasl", "atlassian_jira_win_installed.nbin", "atlassian_jira_nix_installed.nbin");
  script_require_keys("installed_sw/Atlassian JIRA");

  exit(0);
}

include('vcf.inc');


app_info = vcf::combined_get_app_info(app:'Atlassian JIRA');
constraints = [
  { 'fixed_version' : '7.13.4' },
  { 'min_version' : '8.0.0', 'fixed_version' : '8.1.0' }
];

vcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_WARNING);