JiraδÊÚȨ·þÎñ¶ËÄ£°å×¢ÈëÎó²îÇ徲ͨ¸æ

Ðû²¼Ê±¼ä 2019-07-15

Îó²î±àºÅºÍ¼¶±ð


CVE±àºÅ£ºCVE-2019-11581£¬Î£ÏÕ¼¶±ð£º¸ßΣ£¬CVSS·ÖÖµ£º¹Ù·½Î´ÆÀ¶¨


Ó°Ïì°æ±¾


ÊÜÓ°ÏìµÄ°æ±¾


AtlassianJira 4.4.x

AtlassianJira 5.x.x

AtlassianJira 6.x.x

AtlassianJira 7.0.x

AtlassianJira 7.1.x

AtlassianJira 7.2.x

AtlassianJira 7.3.x

AtlassianJira 7.4.x

AtlassianJira 7.5.x

AtlassianJira 7.6.x < 7.6.14

AtlassianJira 7.7.x

AtlassianJira 7.8.x

AtlassianJira 7.9.x

AtlassianJira 7.10.x

AtlassianJira 7.11.x

AtlassianJira 7.12.x

AtlassianJira 7.13.x < 7.13.5

AtlassianJira 8.0.x < 8.0.3

AtlassianJira 8.1.x < 8.1.2

AtlassianJira 8.2.x < 8.2.3


©¶´¸ÅÊö


Atlassian JiraÊÇ°Ä´óÀûÑÇAtlassian¹«Ë¾µÄÒ»Ì×ȱÏݸú×ÙÖÎÀíϵͳ¡£¸ÃϵͳÖ÷ÒªÓÃÓÚ¶ÔÊÂÇéÖÐÖÖÖÖÎÊÌ⡢ȱÏݾÙÐиú×ÙÖÎÀí¡£


Atlassian Jira ServerºÍJira Data Center±£´æ·þÎñ¶ËÄ£°å×¢ÈëÎó²î¡£ÀÖ³ÉʹÓôËÎó²îµÄ¹¥»÷Õß¿ÉÔÚÔËÐÐÊÜÓ°Ïì°æ±¾µÄJira Server»òJira Data CenterµÄϵͳÉÏÖ´ÐÐí§ÒâÏÂÁî¡£


µÚÒ»ÖÖÇéÐΣ¬Jira·þÎñ¶ËÒÑÉèÖúÃSMTP·þÎñÆ÷£¬ÇÒ¡°ÁªÏµÖÎÀíÔ±±íµ¥¡±¹¦Ð§ÒÑ¿ªÆô¡£(ĬÈÏÉèÖÃΪ¹Ø±Õ)


µÚ¶þÖÖÇéÐΣ¬Jira·þÎñ¶ËÒÑÉèÖúÃSMTP·þÎñÆ÷£¬ÇÒ¹¥»÷Õß¾ßÓÐ"JIRAÖÎÀíÔ±"µÄ»á¼ûȨÏÞ¡£ÔÚµÚÒ»ÖÖÇéÐÎÏ£¬¡°ÁªÏµÖÎÀíÔ±±íµ¥¡±¹¦Ð§¿ªÆôµÄÇéÐÎÏ£¬¹¥»÷Õß¿ÉÒÔδ¾­ÈκÎÈÏÖ¤£¬Í¨¹ýÏò/secure/ContactAdministrators.jspaÌᳫÇëÇóʹÓôËÎó²î¡£ÔÚµÚ¶þÖÖÇéÐÎÏ£¬¹¥»÷Õß¾ßÓÐ"JIRA ÖÎÀíÔ±"µÄ»á¼ûȨÏÞÏ¿Éͨ¹ý/secure/admin/SendBulkMail!default.jspaʹÓôËÎó²î¡£


Á½ÖÖ´¥·¢·½·¨ÊµÖÊÔµ¹ÊÔ­Óɶ¼ÊÇ£ºatlassian-jira/WEB-INF/classes/com/atlassian/jira/web/action/user/ContactAdministratorsδ¶ÔSubject£¨ÓʼþÖ÷Ì⣩´¦¾ÙÐйýÂË£¬Óû§´«ÈëµÄÓʼþÖ÷Ìâ±»¿´³Étemplate£¨Ä£°å£©Ö¸ÁîÖ´ÐС£ÔÚÈκÎÒ»ÖÖÇéÐÎÏ£¬ÀÖ³ÉʹÓôËÎó²îµÄ¹¥»÷Õ߶¼¿ÉÔÚÔËÐÐÊÜÓ°Ïì°æ±¾µÄJira Server»òJira Data CenterµÄϵͳÉÏÖ´ÐÐí§ÒâÏÂÁî¡£


Îó²îÑéÖ¤


ÔÝÎÞPOC/EXP¡£


ÐÞ¸´½¨Òé


Ä¿Ç°ÒÑÐû²¼Ð°汾£¬ÊÜÓ°ÏìµÄ°æ±¾Ò²ÒÑÐû²¼¸üС£ÈçÕâЩ½â¾ö¼Æ»®¾ù²»¿ÉÐУ¬¿ÉÔÝʱ½ÓÄÉÈçÏ»º½â²½·¥


1.½ûÓá°ÁªÏµÍøÕ¾ÖÎÀíÔ±¡±¹¦Ð§¡£ÉèÖÃ-ϵͳ-±à¼­ÉèÖÃ-ÁªÏµÖÎÀíÔ±±íµ¥´¦Ñ¡Ôñ¡°¹Ø¡±£¬È»ºóµã»÷×îÏÂÃæµÄ¡°¸üС±ÉúÑÄÉèÖá£


Ïêϸ²Ù×÷·½·¨²Î¿¼£ºhttps://confluence.atlassian.com/adminjiraserver/configuring-the-administrator-contact-form-974375905.html#Configuringtheadministratorcontactform-DisablingtheContactAdministratorsForm


ÑéÖ¤ÉúЧҪÁ죺»á¼û/secure/ContactAdministrators!default.jspa·ºÆ𣺡°ÄúµÄJiraÖÎÀíÔ±ÉÐδÉèÖôËÁªÏµ±í¡£¡±»ò¡°Your Jira administrator has not yetconfigured this contact form¡±¡£


×ðÁú¿­Ê±¡¤(ÖйúÇø)ÈËÉú¾ÍÊDz«!


2.եȡ¶Ô/secure/admin/SendBulkMail!default.jspaµÄ»á¼û¡£¿Éͨ¹ý¾Ü¾ø·´ÏòÊðÀí¡¢¸ºÔØƽºâÆ÷»òÖ±½Ó´ÓTomcat ×èµ²»á¼ûȨÏÞ£¬×èÖ¹ÖÎÀíÔ±ÏòÓû§·¢ËÍÅúÁ¿Óʼþ¡£


²Î¿¼Á´½Ó


https://confluence.atlassian.com/jira/jira-security-advisory-2019-07-10-973486595.html