Atlassian Jira 8.0.0 < 8.0.4 Multiple Vulnerabilities

According to its self-reported version number, the instance of Atlassian Jira hosted on the remote web server is version 7.13.0 prior to 7.13.4, 8.0.0 prior to 8.0.4 or 8.1.0 prior to 8.1.1. It is, therefore, affected by multiple vulnerabilities:

• A vulnerability which permits remote attackers who have obtained access to administrator’s session to access the ViewUpgrades administrative resource without needing to re-authenticate via a improper access control flaw (CVE-2019-8443).

• A vulnerability which permits remote attackers to access files in the Jira webroot under the META-INF directory via a lax path access check in the CachingResourceDownloadRewriteRule class (CVE-2019-8442).

• A vulnerability in the /rest/api/2/user/picker rest resource which permits allows remote attackers to enumerate usernames via an incorrect authorisation check(CVE-2019-3403).

Note that the scanner has not tested for these issues but has instead relied only on the application’s self-reported version number.