Vulnerability-Lookup

CNVD-2020-41865

Vulnerability from cnvd - Published: 2020-07-22

Title

Atlassian JIRA Server和Data Center拒绝服务漏洞（CNVD-2020-41865）

Description

Atlassian JIRA Server和Atlassian JIRA Data Center都是澳大利亚Atlassian公司的产品。Atlassian JIRA Server是一套缺陷跟踪管理系统的服务器版本。该系统主要用于对工作中各类问题、缺陷进行跟踪管理。Atlassian JIRA Data Center是Atlassian JIRA的数据中心版本。 Atlassian JIRA Server和Data Center中的头像上传功能存在拒绝服务漏洞。远程攻击者可通过特制PNG文件利用该漏洞导致拒绝服务。

Severity

中

Patch Name

Atlassian JIRA Server和Data Center拒绝服务漏洞（CNVD-2020-41865）的补丁

Patch Description

Formal description

厂商已发布了漏洞修复程序，请及时关注更新： https://jira.atlassian.com/browse/JRASERVER-70813

Reference

https://nvd.nist.gov/vuln/detail/CVE-2019-20897

Impacted products

Name
['Atlassian JIRA Server 7.6.0', 'Atlassian JIRA Server 7.6.15', 'Atlassian Jira Data Center 7.6.15', 'Atlassian JIRA Server 7.13.0', 'Atlassian JIRA Server 7.13.12', 'Atlassian Jira Data Center 7.6.0', 'Atlassian Jira Data Center 7.13.0', 'Atlassian Jira Data Center 7.13.12', 'Atlassian JIRA Server 8.5.1', 'Atlassian Jira Data Center 8.5.1']

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2019-20897",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2019-20897"
    }
  },
  "description": "Atlassian JIRA Server\u548cAtlassian JIRA Data Center\u90fd\u662f\u6fb3\u5927\u5229\u4e9aAtlassian\u516c\u53f8\u7684\u4ea7\u54c1\u3002Atlassian JIRA Server\u662f\u4e00\u5957\u7f3a\u9677\u8ddf\u8e2a\u7ba1\u7406\u7cfb\u7edf\u7684\u670d\u52a1\u5668\u7248\u672c\u3002\u8be5\u7cfb\u7edf\u4e3b\u8981\u7528\u4e8e\u5bf9\u5de5\u4f5c\u4e2d\u5404\u7c7b\u95ee\u9898\u3001\u7f3a\u9677\u8fdb\u884c\u8ddf\u8e2a\u7ba1\u7406\u3002Atlassian JIRA Data Center\u662fAtlassian JIRA\u7684\u6570\u636e\u4e2d\u5fc3\u7248\u672c\u3002\n\nAtlassian JIRA Server\u548cData Center\u4e2d\u7684\u5934\u50cf\u4e0a\u4f20\u529f\u80fd\u5b58\u5728\u62d2\u7edd\u670d\u52a1\u6f0f\u6d1e\u3002\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u901a\u8fc7\u7279\u5236PNG\u6587\u4ef6\u5229\u7528\u8be5\u6f0f\u6d1e\u5bfc\u81f4\u62d2\u7edd\u670d\u52a1\u3002",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://jira.atlassian.com/browse/JRASERVER-70813",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2020-41865",
  "openTime": "2020-07-22",
  "patchDescription": "Atlassian JIRA Server\u548cAtlassian JIRA Data Center\u90fd\u662f\u6fb3\u5927\u5229\u4e9aAtlassian\u516c\u53f8\u7684\u4ea7\u54c1\u3002Atlassian JIRA Server\u662f\u4e00\u5957\u7f3a\u9677\u8ddf\u8e2a\u7ba1\u7406\u7cfb\u7edf\u7684\u670d\u52a1\u5668\u7248\u672c\u3002\u8be5\u7cfb\u7edf\u4e3b\u8981\u7528\u4e8e\u5bf9\u5de5\u4f5c\u4e2d\u5404\u7c7b\u95ee\u9898\u3001\u7f3a\u9677\u8fdb\u884c\u8ddf\u8e2a\u7ba1\u7406\u3002Atlassian JIRA Data Center\u662fAtlassian JIRA\u7684\u6570\u636e\u4e2d\u5fc3\u7248\u672c\u3002\r\n\r\nAtlassian JIRA Server\u548cData Center\u4e2d\u7684\u5934\u50cf\u4e0a\u4f20\u529f\u80fd\u5b58\u5728\u62d2\u7edd\u670d\u52a1\u6f0f\u6d1e\u3002\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u901a\u8fc7\u7279\u5236PNG\u6587\u4ef6\u5229\u7528\u8be5\u6f0f\u6d1e\u5bfc\u81f4\u62d2\u7edd\u670d\u52a1\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Atlassian JIRA Server\u548cData Center\u62d2\u7edd\u670d\u52a1\u6f0f\u6d1e\uff08CNVD-2020-41865\uff09\u7684\u8865\u4e01",
  "products": {
    "product": [
      "Atlassian JIRA Server 7.6.0",
      "Atlassian JIRA Server 7.6.15",
      "Atlassian Jira Data Center 7.6.15",
      "Atlassian JIRA Server 7.13.0",
      "Atlassian JIRA Server 7.13.12",
      "Atlassian Jira Data Center 7.6.0",
      "Atlassian Jira Data Center 7.13.0",
      "Atlassian Jira Data Center 7.13.12",
      "Atlassian JIRA Server 8.5.1",
      "Atlassian Jira Data Center 8.5.1"
    ]
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2019-20897",
  "serverity": "\u4e2d",
  "submitTime": "2020-07-13",
  "title": "Atlassian JIRA Server\u548cData Center\u62d2\u7edd\u670d\u52a1\u6f0f\u6d1e\uff08CNVD-2020-41865\uff09"
}

CVE-2019-20897 (GCVE-0-2019-20897)

Vulnerability from cvelistv5 – Published: 2020-07-13 00:50 – Updated: 2024-09-16 17:33

Summary

The avatar upload feature in affected versions of Atlassian Jira Server and Data Center allows remote attackers to achieve Denial of Service via a crafted PNG file. The affected versions are before version 8.5.4, from version 8.6.0 before 8.6.2, and from version 8.7.0 before 8.7.1.

Severity ?

No CVSS data available.

CWE

Denial of Service

Assigner

atlassian

References

URL

Tags

https://jira.atlassian.com/browse/JRASERVER-70813

x_refsource_MISC

Impacted products

	Vendor	Product	Version
	Atlassian	Jira Server	Affected: unspecified , < 8.5.4 (custom) Affected: 8.6.0 , < unspecified (custom) Affected: unspecified , < 8.6.2 (custom) Affected: 8.7.0 , < unspecified (custom) Affected: unspecified , < 8.7.1 (custom)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T02:53:09.487Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://jira.atlassian.com/browse/JRASERVER-70813"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Jira Server",
          "vendor": "Atlassian",
          "versions": [
            {
              "lessThan": "8.5.4",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            },
            {
              "lessThan": "unspecified",
              "status": "affected",
              "version": "8.6.0",
              "versionType": "custom"
            },
            {
              "lessThan": "8.6.2",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            },
            {
              "lessThan": "unspecified",
              "status": "affected",
              "version": "8.7.0",
              "versionType": "custom"
            },
            {
              "lessThan": "8.7.1",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        }
      ],
      "datePublic": "2020-03-24T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "The avatar upload feature in affected versions of Atlassian Jira Server and Data Center allows remote attackers to achieve Denial of Service via a crafted PNG file. The affected versions are before version 8.5.4, from version 8.6.0 before 8.6.2, and from version 8.7.0 before 8.7.1."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Denial of Service",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2020-07-13T00:50:11",
        "orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
        "shortName": "atlassian"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://jira.atlassian.com/browse/JRASERVER-70813"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security@atlassian.com",
          "DATE_PUBLIC": "2020-03-24T00:00:00",
          "ID": "CVE-2019-20897",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Jira Server",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c",
                            "version_value": "8.5.4"
                          },
                          {
                            "version_affected": "\u003e=",
                            "version_value": "8.6.0"
                          },
                          {
                            "version_affected": "\u003c",
                            "version_value": "8.6.2"
                          },
                          {
                            "version_affected": "\u003e=",
                            "version_value": "8.7.0"
                          },
                          {
                            "version_affected": "\u003c",
                            "version_value": "8.7.1"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Atlassian"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "The avatar upload feature in affected versions of Atlassian Jira Server and Data Center allows remote attackers to achieve Denial of Service via a crafted PNG file. The affected versions are before version 8.5.4, from version 8.6.0 before 8.6.2, and from version 8.7.0 before 8.7.1."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Denial of Service"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://jira.atlassian.com/browse/JRASERVER-70813",
              "refsource": "MISC",
              "url": "https://jira.atlassian.com/browse/JRASERVER-70813"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
    "assignerShortName": "atlassian",
    "cveId": "CVE-2019-20897",
    "datePublished": "2020-07-13T00:50:11.654573Z",
    "dateReserved": "2020-07-07T00:00:00",
    "dateUpdated": "2024-09-16T17:33:31.211Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2020-41865

CVE-2019-20897 (GCVE-0-2019-20897)

Tags

Sightings

Nomenclature