JIRA Servcie Desk路径遍历漏洞(CVE-2019-14994)

## Problem Affected JIRA Service Desk versions in CVE-2019-14994 will allow non-application access users - Service Desk Customers to path traverse to see restricted issues in the JIRA instance. This allows Service Desk Customers who normally don't have access to tickets that are not their own to view details of tickets contained in the XML generated results in all JIRA Service Desk projects. JIRA Software and Core projects will be affected if their Browse Project permission is set to Group - Anyone. ## Affected versions - All versions **before** 3.9.16 - 3.10.x - 3.11.x - 3.12.x - 3.13.x - 3.14.x - 3.15.x - 3.16.x **before** 3.16.8 (the fixed version for 3.16.x) - 4.0.x - 4.1.x **before** 4.1.3 (the fixed version for 4.1.x) - 4.2.x **before** 4.2.5 (the fixed version for 4.2.x) - 4.3.x **before** 4.3.4 (the fixed version for 4.3.x) - 4.4.0 Permanent resolution below along with workarounds if immediate upgrade is not possible ## Resolution Upgrade to fixed version of JIRA Service Desk - 3.9.16 - 3.16.8 - 4.1.3 - 4.2.5 - 4.3.4 - 4.4.1 ## Workaround Block path traversals or limit tickets from JIRA Software/Core projects. ### Workaround to stop JIRA Software/Core project returned in the resulting XML Set all JIRA Software/Core projects' Browse Project permission to certain groups 1. Go to Project Settings → Permissions 2. Set Browse Project permission to groups that should only have access to their respective JIRA Software/Core projects. ### Workaround 1. Redirect requests to JIRA containing .. to a safe URL 1. Add the following to the `<urlrewrite>` section of `[jira-installation-directory]/atlassian-jira/WEB-INF/urlrewrite.xml`: ```none <rule> <from>^/[^?]*\.\..*$</from> <to type="temporary-redirect">/</to> </rule> ``` 2. Save the `urlrewrite.xml` 3. Restart JIRA ### Workaround 2. Block requests to JIRA containing .. at the reverse proxy or load balancer level #### Apache 1. Add the following into the .conf file that contains the virtualhost that proxies to JIRA ```none <LocationMatch "/(.*\.\.)"> Order Allow,Deny Deny from all </LocationMatch> ``` example below - ```none <VirtualHost *:80> ServerName jira.example.com ProxyRequests Off ProxyVia Off <Proxy *> Require all granted </Proxy> ProxyPass /jira http://ipaddress:8080/jira ProxyPassReverse /jira http://ipaddress:8080/jira <LocationMatch "/(.*\.\.)"> Order Allow,Deny Deny from all </LocationMatch> </VirtualHost> ``` 2. Restart your Apache proxy #### Nginx 1. Add the following into the .conf file that contains the server block that proxies to JIRA inside location block ```none if ($uri ~* "/.*\.\."){ return 405;} ``` example below - ```none location /jira { proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-Server $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_pass http://ipaddress:8080/jira; client_max_body_size 10M; if ($uri ~* "/.*\.\."){ return 405;} } ``` 2. Restart your NGINX