Workaround for CVE-2019-14994

Platform Notice: Data Center Only - This article only applies to Atlassian products on the Data Center platform.

Note that this KB was created for the Data Center version of the product. Data Center KBs for non-Data-Center-specific features may also work for Server versions of the product, however they have not been tested. Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.

*Except Fisheye and Crucible

Problem

Affected Jira Service Management versions in CVE-2019-14994 will allow non-application access users - Service Management Customers to path traverse to see restricted issues in the Jira instance.

This allows Service Management Customers who normally don't have access to tickets that are not their own to view details of tickets contained in the XML generated results in all Jira Service Management projects.

Jira projects will be affected if their Browse Project permission is set to Group - Anyone.

Affected versions

  • All versions before 3.9.16

  • 3.10.x

  • 3.11.x

  • 3.12.x

  • 3.13.x

  • 3.14.x

  • 3.15.x

  • 3.16.x before 3.16.8 (the fixed version for 3.16.x)

  • 4.0.x

  • 4.1.x before 4.1.3 (the fixed version for 4.1.x)

  • 4.2.x before 4.2.5 (the fixed version for 4.2.x)

  • 4.3.x before 4.3.4 (the fixed version for 4.3.x)

  • 4.4.0

Permanent resolution below along with workarounds if immediate upgrade is not possible

Resolution

Upgrade to fixed version of Jira Service Management

  • 3.9.16

  • 3.16.8

  • 4.1.3

  • 4.2.5

  • 4.3.4

  • 4.4.1

Workaround

Block path traversals or limit tickets from Jira projects.

Workaround to stop Jira project returned in the resulting XML

Set all Jira projects' Browse Project permission to certain groups

  1. Go to Project Settings → Permissions

  2. Set Browse Project permission to groups that should only have access to their respective Jira projects.

Workaround 1.

Redirect requests to Jira containing .. to a safe URL

  1. Add the following to the <urlrewrite>section of [jira-installation-directory]/atlassian-jira/WEB-INF/urlrewrite.xml:

    1 2 3 4 <rule> <from>(?s)^/.*\.\..*$</from> <to type="temporary-redirect">/</to> </rule>

  2. Save the urlrewrite.xml

  3. Restart Jira

Workaround 2.

Block requests to Jira containing .. at the reverse proxy or load balancer level

Apache

  1. Add the following into the .conf file that contains the virtualhost that proxies to Jira

    1 2 3 4 <LocationMatch "/(.*\.\.)"> Order Allow,Deny Deny from all </LocationMatch>

    example below -

    1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 <VirtualHost *:80> ServerName jira.example.com ProxyRequests Off ProxyVia Off <Proxy *> Require all granted </Proxy> ProxyPass /jira http://ipaddress:8080/jira ProxyPassReverse /jira http://ipaddress:8080/jira <LocationMatch "/(.*\.\.)"> Order Allow,Deny Deny from all </LocationMatch> </VirtualHost>

  2. Restart your Apache proxy

Nginx

  1. Add the following into the .conf file that contains the server block that proxies to Jira inside location block

    1 if ($uri ~* "/.*\.\."){ return 405;}

    example below -

    1 2 3 4 5 6 7 8 9 location /jira { proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-Server $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_pass http://ipaddress:8080/jira; client_max_body_size 10M; if ($uri ~* "/.*\.\."){ return 405;} }

  2. Restart your NGINX

Updated on April 9, 2025
Platform
Data Center only
Product
Jira Service Management Data Center
On this pageProblemAffected versionsResolutionWorkaround

Still need help?

The Atlassian Community is here for you.
Ask the Community