bpmcdevitt/data_importer
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

add cna 7 jira captured potential from advisory

Browse source
This commit is contained in:
Brendan McDevitt 2022-05-20 17:21:27 -05:00
parent 955e7fd5fc
commit c1b3ed8fa1
1 changed files with 46 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

47
doc/cna_readme_notes/cnas_with_html_advisories.md
View file

@ -127,8 +127,53 @@ Offers a subscribe with RSS button to get an index of advisories at least.
### Advisory
https://www.atlassian.com/trust/security/advisories
#### Notes
The page listed in the CNAList.json for this org is the advisory policy document and not the list of advisories. The link provided in this document is the correct link for security advisories.
The page listed in the CNAList.json for this org is the advisory policy document and not the list of advisories. The link provided in this document is the correct link for security advisories
#### Captured Data Potential From Advisory
```
{
:bulletin_id => 'Jira Security Advisory 2022-04-20',
:summary_table => {
:summary => 'CVE-2022-0540 - Authentication bypass in Seraph',
:advisory_release_date => '20 Apr 2022 10:00 AM PDT (Pacific Time, -7 hours)',
:affected_products => [
'Jira',
'Jira Core Server',
'Jira Software Server',
'Jira Software Data Center',
'Jira Service Management',
'Jira Service Management Server',
'Jira Service Management Data Center'
],
:cve_ids => 'CVE-2022-0540'
},
:summary_of_vulnerability => 'Jira and Jira Service Management are vulnerable to an authentication bypass in its web authentication framework, Jira Seraph. Although the vulnerability is in the core of Jira, it affects first and third party apps that specify roles-required at the webwork1 action namespace level and do not specify it at an action level. For a specific action to be affected, the action will also need to not perform any other authentication or authorization checks. A remote, unauthenticated attacker could exploit this by sending a specially crafted HTTP request to bypass authentication and authorization requirements in WebWork actions using an affected configuration.',
:severity => 'For installations that use apps that have an affected configuration, Atlassian rates the severity level of this vulnerability as critical, though this may vary if an affected app uses additional permissions checks. For more detailed information on the impact to each app listed in the Determining which apps are affected section below, contact the app vendor. For installations that do not use any apps that have an affected configuration as described in the Summary of Vulnerability section above, Atlassian rates the severity level of this vulnerability as medium. This is our assessment, and you should evaluate its applicability to your own IT environment.',
:affected_jira_versions => [
'Jira Core Server',
'Jira Software Server',
'Jira Software Data Center',
'All versions before 8.13.18',
'8.14.x',
'8.15.x',
'8.16.x',
'8.17.x',
'8.18.x',
'8.19.x',
'8.20.x before 8.20.6',
'8.21.x'
],
:fixed_jira_versions => [
'8.13.x >= 8.13.18',
'8.20.x >= 8.20.6',
'All versions >= 8.22.0'
],
:fixed_jira_service_management_versions => [
'4.13.x >= 4.13.18',
'4.20.x >= 4.20.6',
'All versions >= 4.22.0',
]
}
```
## Autodesk
### Advisory