Lucene search
This script is Copyright (C) 2022-2024 and is owned by Tenable, Inc. or an Affiliate thereof.JIRA_8_21_0_JRASERVER-73070.NASLHistoryJul 06, 2022 - 12:00 a.m.
Atlassian Jira < 8.13.18 / 8.14.0 < 8.20.6 / 8.21.0 (JRASERVER-73070)
2022-07-0600:00:00
This script is Copyright (C) 2022-2024 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
34
atlassian jira
security update
vulnerability
denial of service
outofmemoryerror
tomcat
cve-2021-42340
jraserver-73070 advisory
CVSS2
5
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSS3
7.5
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
AI Score
6.9
Confidence
High
EPSS
0.027
Percentile
90.6%
The version of Atlassian Jira installed on the remote host is prior to 8.13.18 / 8.14.0 < 8.20.6 / 8.21.0. It is, therefore, affected by a vulnerability as referenced in the JRASERVER-73070 advisory.
- Denial of service via an OutOfMemoryError (Tomcat CVE-2021-42340) (CVE-2021-42340)
Note that Nessus has not tested for this issue but has instead relied only on the applicationβs self-reported version number.
##
# (C) Tenable, Inc.
##
include('compat.inc');
if (description)
{
script_id(162744);
script_version("1.6");
script_set_attribute(attribute:"plugin_modification_date", value:"2024/06/05");
script_cve_id("CVE-2021-42340");
script_name(english:"Atlassian Jira < 8.13.18 / 8.14.0 < 8.20.6 / 8.21.0 (JRASERVER-73070)");
script_set_attribute(attribute:"synopsis", value:
"The remote Atlassian Jira host is missing a security update.");
script_set_attribute(attribute:"description", value:
"The version of Atlassian Jira installed on the remote host is prior to 8.13.18 / 8.14.0 < 8.20.6 / 8.21.0. It is, therefore, affected by a
vulnerability as referenced in the JRASERVER-73070 advisory.
- Denial of service via an OutOfMemoryError (Tomcat CVE-2021-42340) (CVE-2021-42340)
Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
script_set_attribute(attribute:"see_also", value:"https://jira.atlassian.com/browse/JRASERVER-73070");
script_set_attribute(attribute:"solution", value:
"Upgrade to Atlassian Jira version 8.13.18, 8.20.6, 8.21.0 or later.");
script_set_attribute(attribute:"agent", value:"all");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2021-42340");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_set_attribute(attribute:"exploit_available", value:"false");
script_set_attribute(attribute:"vuln_publication_date", value:"2021/10/01");
script_set_attribute(attribute:"patch_publication_date", value:"2021/11/30");
script_set_attribute(attribute:"plugin_publication_date", value:"2022/07/06");
script_set_attribute(attribute:"plugin_type", value:"combined");
script_set_attribute(attribute:"cpe", value:"cpe:/a:atlassian:jira");
script_set_attribute(attribute:"thorough_tests", value:"true");
script_set_attribute(attribute:"enable_cgi_scanning", value:"true");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"CGI abuses");
script_copyright(english:"This script is Copyright (C) 2022-2024 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("jira_detect.nasl", "atlassian_jira_win_installed.nbin", "atlassian_jira_nix_installed.nbin");
script_require_keys("installed_sw/Atlassian JIRA");
exit(0);
}
include('vcf.inc');
var app_info = vcf::combined_get_app_info(app:'Atlassian JIRA');
# if on LTS release 8.13.x needs the 8.13.18 patch.
# else if on LTS release 8.20.x needs the 8.20.6 patch
# if else upgrade to 8.21.0
var constraints = [
{ 'fixed_version' : '8.13.18', 'fixed_display' : '8.13.18 / 8.20.6 / 8.21.0' },
{ 'min_version' : '8.14.0', 'fixed_version' : '8.20.6', 'fixed_display' : '8.20.6 / 8.21.0' },
];
vcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_WARNING);
Related
osv
osv
BIT-tomcat-2021-42340
2024-03-06 11:09:50
Missing Release of Resource after Effective Lifetime in Apache Tomcat
2021-10-15 18:51:34
CVE-2021-42340
2021-10-14 20:15:09
veracode
veracode
Denial Of Service (DoS)
2021-10-15 08:23:36
nessus
nessus
Apache Tomcat 10.1.0.M1 < 10.1.0.M6
2021-10-14 00:00:00
Debian DSA-5009-1 : tomcat9 - security update
2021-11-12 00:00:00
Amazon Linux 2 : tomcat (ALASTOMCAT9-2023-006)
2023-09-27 00:00:00
debiancve
debiancve
CVE-2021-42340
2021-10-14 20:15:09
ibm
ibm
atlassian
atlassian
nvd
nvd
CVE-2021-42340
2021-10-14 20:15:09
tomcat
tomcat
Fixed in Apache Tomcat 9.0.54
2021-10-01 00:00:00
Fixed in Apache Tomcat 8.5.72
2021-10-06 00:00:00
Fixed in Apache Tomcat 10.1.0-M6
2021-10-01 00:00:00
cisa
cisa
Apache Releases Security Advisory for Tomcatβ―β―
2021-10-15 00:00:00
debian
debian
[SECURITY] [DSA 5009-1] tomcat9 security update
2021-11-12 14:35:56
prion
prion
Memory corruption
2021-10-14 20:15:00
kaspersky
kaspersky
KLA12322 DoS vulnerability in Apache Tomcat
2021-10-06 00:00:00
KLA12321 DoS vulnerability in Apache Tomcat
2021-10-01 00:00:00
cnvd
cnvd
Apache Tomcat Resource Management Error Vulnerability (CNVD-2021-83785)
2021-10-18 00:00:00
github
github
Missing Release of Resource after Effective Lifetime in Apache Tomcat
2021-10-15 18:51:34
openvas
openvas
Apache Tomcat DoS Vulnerability (Oct 2021) - Linux
2021-10-18 00:00:00
Debian: Security Advisory (DSA-5009-1)
2021-11-14 00:00:00
Apache Tomcat DoS Vulnerability (Oct 2021) - Windows
2021-10-18 00:00:00
f5
f5
K70052353 : Apache Tomcat vulnerability CVE-2021-42340
2021-10-21 00:00:00
ubuntucve
ubuntucve
CVE-2021-42340
2021-10-14 00:00:00
cvelist
cvelist
CVE-2021-42340 DoS via memory leak with WebSocket connections
2021-10-14 19:55:14
redhatcve
redhatcve
CVE-2021-42340
2021-10-15 02:51:28
amazon
amazon
Important: tomcat8
2021-10-29 16:37:00
cve
cve
CVE-2021-42340
2021-10-14 20:15:09
photon
photon
Important Photon OS Security Update - PHSA-2021-0452
2021-11-24 00:00:00
Important Photon OS Security Update - PHSA-2021-0126
2021-11-10 00:00:00
Important Photon OS Security Update - PHSA-2021-4.0-0126
2021-11-10 00:00:00
redos
redos
ROS-20221103-06
2022-11-03 00:00:00
mageia
mageia
Updated tomcat packages fix security vulnerability
2021-10-23 13:05:28
redhat
redhat
(RHSA-2021:4861) Important: Red Hat JBoss Web Server 5.6.0 Security release
2021-11-30 14:19:46
(RHSA-2021:4863) Important: Red Hat JBoss Web Server 5.6.0 Security release
2021-11-30 14:21:16
(RHSA-2022:1179) Important: Red Hat support for Spring Boot 2.5.10 update
2022-04-12 19:02:50
gentoo
gentoo
Apache Tomcat: Multiple Vulnerabilities
2022-08-21 00:00:00
rosalinux
rosalinux
Advisory ROSA-SA-2023-2258
2023-10-21 16:49:43
oracle
oracle
Oracle Critical Patch Update Advisory - July 2022
2022-07-19 00:00:00
Oracle Critical Patch Update Advisory - January 2022
2022-01-18 00:00:00
Oracle Critical Patch Update Advisory - April 2022
2022-04-19 00:00:00
CVSS2
5
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSS3
7.5
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
AI Score
6.9
Confidence
High
EPSS
0.027
Percentile
90.6%
Related for JIRA_8_21_0_JRASERVER-73070.NASL