Abstract Advisory Information
A CSV Injection vulnerability was discovered in clustercoding Jira 7.12.0 that allows a user to inject a command that will be included in the exported CSV file, leading to possible code execution.
Authors: Julien Oury–Nogues from Excellium-Services company
Common Vulnerability Scoring System
Vulnerability Disclosure Timeline
- 14/09/2018: Vulnerability discovered
- 17/09/2018: Jira notification of issues ( Ref: SEC-2059 )
- 20/09/2018: CSIRT request Jira status -> no answers.
- 08/10/2018: Jira notification of disclose policy.
- 31/10/2018: Vendor does not considered this issue as it. Issue is related to Excel and not directly to Jira. No patch will be released.
- 21/12/2018: As Atlasian is CNA, MITRE refuse to attribute CVE id
- 28/02/2019: Public disclosure