Cisco enterprise alert: Atlassian Jira bug tracker software has multiple security bugs

Popular bug tracking software Jira, from Australian firm Atlassian, has about half a dozen vulnerabilities that could be use to leak secrets to remote attackers. 

The series of bugs were highlighted by Cisco’s Talos Intelligence, which said the they could be used to “execute code inside of Jira and the disclosure of information inside of tasks created in Jira, including attached documents.”

Jira, a Java-based web app, is a key tool that's used by tens of thousands of enterprise organizations across the world. A decade ago, a simple cross-site scripting (XSS) bug in the software was used to breach the Apache Software Foundation’s bug tracking tool to steal passwords. 

Atlassian is Australia’s most successful tech startup and recently created free options for Jira Software, Jira Service Desk, Jira Core and Confluence as part of its plan to win more cloud customers. 

With greater user numbers, the company is also attracting more attention from security researchers and hackers. 

Cisco’s Talos Intelligence is one of the firms that’s helped Atlassian patch up security flaws, the latest of which include seven bugs that should be addressed by admins. 

The most serious of the seven found by Talos researchers is a cross-site scripting (XSS) bug in the WikiRenderer functionality of Atlassian Jira, from version 7.6.4 to 8.1.0. 

“A specially crafted comment can cause a persistent XSS. An attacker can create a comment or worklog entry to trigger this vulnerability,” according to Talos researchers. 

The bug has a Common Vulnerability Scoring System (CVSS) version 3 score of 7.4 out of a possible 10, making it a high severity issue. 

“Parsing of comments or worklogs that use the wikirenderer are susceptible to malformed input which will result in a persistent XSS. The renderer markup format supports setting attributes for embedded images, with an attr=val format,” Talos researchers explained.  

“The renderer also supports parsing URLs to create links in the rendered output. However, the renderer also creates URLs for image attributes that have a value starting with http:. Combining these two behaviors allows for creating malformed HTML output. This can be leveraged to execute arbitrary JavaScript.”

There’s also also less severe issues affecting the Jira login form and an information disclosure bug. 

Atlassian released patches for all the flaws in early September.