Press "Enter" to skip to content

Update now: Jira team closes critical security gap in Insight app

Insight, an application for asset and configuration management in conjunction with Jira Service Management data center and server, had a security vulnerability classified as critical and exploitable remotely. Under certain conditions, an attacker with low access rights could have executed any Java code on the server (Remote Code Execution, RCE). The Jira developers have published updated bundles of Service Management Data Center, Server and Insight as well as a secure standalone version of the Insight app. Users should update the software as soon as possible.

Atlassian Sea Jira Service Management Security Advisory 2021-10-20 CVE-2018-10054 is based on a combination of the Insights database import feature and a native function of the H2 Database Engine, which is bundled with the Jira software by default. The function can be misused via Insight for RCE – regardless of whether the relevant import configuration has been saved or H2 has ever been used as the target DB before. However, the prerequisite for an attack is the login as a Jira user in combination with certain authorizations (“Insight administrator” or “Object Schema Manager”).

The NVD entry for CVE-2018-10054.

Provides an overview of all affected issues of Jira Service Management Data Center and Server as well as the Insight app Jiras Advisory. Expressly the cloud version of Jira Service Management is not affected.

Insight from version 8.9.3 and up are covered Jira Service Management Data Center and Server 4.20.0. The latter software bundle contains Insight 9.1.2. Information on the (version-dependent) procedure for updating and the compatibility of Insight 8.9.3 with different editions of Jira Service Management Data Center and Server can be found in the advisory.


Article Source

Disclaimer: This article is generated from the feed and not edited by our team.