Vulnerabilities > CVE-2019-11589 - Open Redirect vulnerability in Atlassian Jira Server

047910
CVSS 6.1 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
LOW
Integrity impact
LOW
Availability impact
NONE
network
low complexity
atlassian
CWE-601
nessus

Summary

The ChangeSharedFilterOwner resource in Jira before version 7.13.6, from version 8.0.0 before version 8.2.3, and from version 8.3.0 before version 8.3.2 allows remote attackers to attack users, in some cases be able to obtain a user's Cross-site request forgery (CSRF) token, via a open redirect vulnerability.

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Fake the Source of Data
    An adversary provides data under a falsified identity. The purpose of using the falsified identity may be to prevent traceability of the provided data or it might be an attempt by the adversary to assume the rights granted to another identity. One of the simplest forms of this attack would be the creation of an email message with a modified "From" field in order to appear that the message was sent from someone other than the actual sender. Results of the attack vary depending on the details of the attack, but common results include privilege escalation, obfuscation of other attacks, and data corruption/manipulation.

Nessus

  • NASL familyCGI abuses
    NASL idJIRA_7_13_6.NASL
    descriptionAccording to its self-reported version number, the instance of Atlassian JIRA hosted on the remote web server is prior to 7.3.16, 8.2.x prior to 8.2.3, or 8.3.x prior to 8.3.2. It is, therefore, affected by multiple vulnerabilities: - An open rediect vulnerability exists in startup.jsp. An unauthenticated, remote attacker can exploit this by convincing a user to click a specially crafted URL, to redirect the user
    last seen2020-06-01
    modified2020-06-02
    plugin id128282
    published2019-08-28
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/128282
    titleAtlassian JIRA Open Redirect Vulnerabilities
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(128282);
      script_version("1.4");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/07/28");
    
      script_cve_id("CVE-2019-11585", "CVE-2019-11589");
    
      script_name(english:"Atlassian JIRA Open Redirect Vulnerabilities");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote web server hosts a web application that is potentially 
    affected by multiple vulnerabilities.");
      script_set_attribute(attribute:"description", value:
    "According to its self-reported version number, the instance of
    Atlassian JIRA hosted on the remote web server is prior to 7.3.16, 
    8.2.x prior to 8.2.3, or 8.3.x prior to 8.3.2. It is, therefore, affected
    by multiple vulnerabilities:
    
      - An open rediect vulnerability exists in startup.jsp. An 
        unauthenticated, remote attacker can exploit this by convincing 
        a user to click a specially crafted URL, to redirect the 
        user's browser to an unexpected malicious page. 
        (CVE-2019-11585)
    
      - An open redirect vulnerability exists in the ChangeSharedFilterOwner
        resource. An unauthenticated, remote attacker can exploit 
        this by convincing a user to click a specially crafted URL, 
        to redirect the user's browser and potentially steal their 
        CSRF token. (CVE-2019-11589)");
      script_set_attribute(attribute:"see_also", value:"https://jira.atlassian.com/browse/JRASERVER-69780");
      script_set_attribute(attribute:"see_also", value:"https://jira.atlassian.com/browse/JRASERVER-69784");
      script_set_attribute(attribute:"solution", value:
    "Upgrade to Atlassian JIRA version 7.13.6 / 8.2.3 / 8.3.2  or later.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-11589");
    
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2019/08/09");
      script_set_attribute(attribute:"patch_publication_date", value:"2019/08/09");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/08/28");
    
      script_set_attribute(attribute:"plugin_type", value:"combined");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:atlassian:jira");
      script_set_attribute(attribute:"agent", value:"all");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"CGI abuses");
    
      script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("jira_detect.nasl", "atlassian_jira_win_installed.nbin", "atlassian_jira_nix_installed.nbin");
      script_require_keys("installed_sw/Atlassian JIRA");
    
      exit(0);
    }
    
    include('vcf.inc');
    
    
    app_info = vcf::combined_get_app_info(app:'Atlassian JIRA');
    
    constraints = [
      { 'fixed_version' : '7.13.6' },
      { 'min_version' : '8.2.0', 'fixed_version' : '8.2.3' },
      { 'min_version' : '8.3.0', 'fixed_version' : '8.3.2' }
    ];
    
    vcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_WARNING, flags:{xsrf:true});
    
  • NASL familyCGI abuses
    NASL idJIRA_8_3_2_CVE-2019-11585.NASL
    descriptionAccording to its self-reported version number, the instance of Atlassian JIRA hosted on the remote web server is potentially affected by multiple vulnerabilities: - An open redirect vulnerability exists in the startup.jsp resource. An unauthenticated, remote attacker can exploit this via the network to redirect users to a different website which they may use as part of performing a phishing attack. (CVE-2019-11585) - A Cross-site request forgery (XSRF) vulnerability exists in the AddResolution.jspa resource. An unauthenticated, remote attacker can exploit this via the network to create new resolutions. (CVE-2019-11586) - A Cross-site request forgery (XSRF) vulnerability exists in various exposed resources of the ViewLogging class. An unauthenticated, remote attacker can exploit this via the network to modify various settings. (CVE-2019-11587) - A Cross-site request forgery (XSRF) vulnerability exists in the doGarbageCollection method of the ViewSystemInfo class. An unauthenticated, remote attacker can exploit this via the network to trigger garbage collection. (CVE-2019-11588) - An open redirect vulnerability exists in the ChangeSharedFilterOwner resource. An unauthenticated, remote attacker can exploit this via the network to attack users, and in some cases be able to obtain a user
    last seen2020-06-01
    modified2020-06-02
    plugin id129593
    published2019-10-07
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/129593
    titleAtlassian JIRA 7.13.x < 7.13.6 / 8.x < 8.2.3 / 8.3.x < 8.3.2 Multiple Vulnerabilities
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(129593);
      script_version("1.3");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/07/28");
    
      script_cve_id(
        "CVE-2019-11585",
        "CVE-2019-11586",
        "CVE-2019-11587",
        "CVE-2019-11588",
        "CVE-2019-11589"
      );
    
      script_name(english:"Atlassian JIRA 7.13.x < 7.13.6 / 8.x < 8.2.3 / 8.3.x < 8.3.2 Multiple Vulnerabilities");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote web server hosts a web application that is potentially 
    affected by multiple vulnerabilities.");
      script_set_attribute(attribute:"description", value:
    "According to its self-reported version number, the instance of Atlassian JIRA hosted on the remote web server is
    potentially affected by multiple vulnerabilities:
    
      - An open redirect vulnerability exists in the startup.jsp resource. An unauthenticated, remote attacker can
        exploit this via the network to redirect users to a different website which they may use as part of
        performing a phishing attack. (CVE-2019-11585)
    
      - A Cross-site request forgery (XSRF) vulnerability exists in the AddResolution.jspa resource. An
        unauthenticated, remote attacker can exploit this via the network to create new resolutions.
        (CVE-2019-11586)
    
      - A Cross-site request forgery (XSRF) vulnerability exists in various exposed resources of the ViewLogging
        class. An unauthenticated, remote attacker can exploit this via the network to modify various settings.
        (CVE-2019-11587)
    
      - A Cross-site request forgery (XSRF) vulnerability exists in the doGarbageCollection method of the
        ViewSystemInfo class. An unauthenticated, remote attacker can exploit this via the network to trigger
        garbage collection. (CVE-2019-11588)
    
      - An open redirect vulnerability exists in the ChangeSharedFilterOwner resource. An unauthenticated, remote
        attacker can exploit this via the network to attack users, and in some cases be able to obtain a user's
        Cross-site request forgery (XSRF) token. (CVE-2019-11589)");
      script_set_attribute(attribute:"see_also", value:"https://jira.atlassian.com/browse/JRASERVER-69780");
      script_set_attribute(attribute:"see_also", value:"https://jira.atlassian.com/browse/JRASERVER-69781");
      script_set_attribute(attribute:"see_also", value:"https://jira.atlassian.com/browse/JRASERVER-69782");
      script_set_attribute(attribute:"see_also", value:"https://jira.atlassian.com/browse/JRASERVER-69783");
      script_set_attribute(attribute:"see_also", value:"https://jira.atlassian.com/browse/JRASERVER-69784");
      script_set_attribute(attribute:"solution", value:
    "Upgrade to Atlassian JIRA version 7.13.6 / 8.2.3 / 8.3.2 / 8.4.0 or later.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-11585");
    
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2019/08/23");
      script_set_attribute(attribute:"patch_publication_date", value:"2019/07/09");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/10/07");
    
      script_set_attribute(attribute:"plugin_type", value:"combined");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:atlassian:jira");
      script_set_attribute(attribute:"agent", value:"all");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"CGI abuses");
    
      script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("jira_detect.nasl", "atlassian_jira_win_installed.nbin", "atlassian_jira_nix_installed.nbin");
      script_require_keys("installed_sw/Atlassian JIRA");
    
      exit(0);
    }
    
    include('vcf.inc');
    
    app_info = vcf::combined_get_app_info(app:'Atlassian JIRA');
    
    # Based on the JIRA advisories, the minimum version is set to 7.13.x
    constraints = [
      { 'min_version' : '7.13.0', 'fixed_version' : '7.13.6' },
      { 'min_version' : '8.0.0', 'fixed_version' : '8.2.3' },
      { 'min_version' : '8.3.0', 'fixed_version' : '8.3.2' }
    ];
    
    vcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_WARNING, flags:{xsrf:true});