We are getting mails from hackers that our Jira instance is having vulnerabilities. When i searched could see documents like its known issue for some versions.
Mail content is like:
Summary:
Reflected XSS can be submitted on reports, and anyone who will check the report the XSS will trigger.
Description:
Cross site scripting is a Vulnerability that allows an attacker to send malicious code (Usually in the form of JavaScript) to another user. Because a browser cannot know if the script should be trusted or not, It will execute the script in the user context allowing the attacker to access any cookies or session tokens retained by the browser.
Any idea about this?
Is this a serious vulnerability in jira? our version is 7.0.10.
Thanks
Shilpa
Hi Shilpa,
Jira 7.0.10 is fairly aged at this point - that particular version is over 4 years old now and past its end-of-life. I would consider trying to schedule an upgrade in the near future. XSS vulnerabilities are common in most products that interact with browsers, and upgrading is a good way to take advantage of security research that goes into finding new ways to get around browser security and plug the gaps.
There are a couple critical security advisories we released for Jira Server last year that definitely affect your 7.0.10 version:
If you have questions about upgrading, we're here to help. A good start is by taking a look at the Jira upgrade matrix page which contains summaries of the features released in each major version since 7.5 and notes about which platforms are supported.
Cheers,
Daniel
Earning the Mindful Member badge proves you know how to lead with kindness, plus it enters you into a giveaway for exclusive Atlassian swag. Take the quiz, grab the badge, and comment on our announcement article to spread the good vibes!
Start here
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.