XLM-2018-356

XLM-2018-356

by adidionxlm

Abstract Advisory Information

A CSV Injection vulnerability was discovered in clustercoding Jira 7.12.0 that allows a user to inject a command that will be included in the exported CSV file, leading to possible code execution.

Authors: Julien Oury–Nogues from Excellium-Services company

Version affected

Name: Jira
Versions: 7.12.0

Common Vulnerability Scoring System

5.4
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Patches

Unknown

References

https://jira.atlassian.com/browse/CONFSERVER-57814

Vulnerability Disclosure Timeline

  • 14/09/2018: Vulnerability discovered
  • 17/09/2018: Jira notification of issues ( Ref: SEC-2059 )
  • 20/09/2018: CSIRT request Jira status -> no answers.
  • 08/10/2018: Jira notification of disclose policy.
  • 31/10/2018: Vendor does not considered this issue as it. Issue is related to Excel and not directly to Jira. No patch will be released.
  • 21/12/2018: As Atlasian is CNA, MITRE refuse to attribute CVE id
  • 28/02/2019: Public disclosure
Top