Abstract Advisory Information
A CSV Injection vulnerability was discovered in clustercoding Jira 7.12.0 that allows a user to inject a command that will be included in the exported CSV file, leading to possible code execution.
Authors: Julien Oury–Nogues from Excellium-Services company
Version affected
Name: Jira
Versions: 7.12.0
Common Vulnerability Scoring System
5.4
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Patches
Unknown
References
https://jira.atlassian.com/browse/CONFSERVER-57814
Vulnerability Disclosure Timeline
- 14/09/2018: Vulnerability discovered
- 17/09/2018: Jira notification of issues ( Ref: SEC-2059 )
- 20/09/2018: CSIRT request Jira status -> no answers.
- 08/10/2018: Jira notification of disclose policy.
- 31/10/2018: Vendor does not considered this issue as it. Issue is related to Excel and not directly to Jira. No patch will be released.
- 21/12/2018: As Atlasian is CNA, MITRE refuse to attribute CVE id
- 28/02/2019: Public disclosure