CVE-2010-1165: Code Injection
First published: Tue Apr 20 2010(Updated: )
Atlassian JIRA 3.12 through 4.1 allows remote authenticated administrators to execute arbitrary code by modifying the (1) attachment (aka attachments), (2) index (aka indexing), or (3) backup path and then uploading a file, as exploited in the wild in April 2010.
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Atlassian Jira | =3.12 | |
| Atlassian Jira | =3.12.1 | |
| Atlassian Jira | =3.12.2 | |
| Atlassian Jira | =3.12.3 | |
| Atlassian Jira | =3.13 | |
| Atlassian Jira | =3.13.1 | |
| Atlassian Jira | =3.13.2 | |
| Atlassian Jira | =3.13.3 | |
| Atlassian Jira | =3.13.4 | |
| Atlassian Jira | =3.13.5 | |
| Atlassian Jira | =4.0 | |
| Atlassian Jira | =4.0.1 | |
| Atlassian Jira | =4.0.2 | |
| Atlassian Jira | =4.1 | |
| =3.12 | ||
| =3.12.1 | ||
| =3.12.2 | ||
| =3.12.3 | ||
| =3.13 | ||
| =3.13.1 | ||
| =3.13.2 | ||
| =3.13.3 | ||
| =3.13.4 | ||
| =3.13.5 | ||
| =4.0 | ||
| =4.0.1 | ||
| =4.0.2 | ||
| =4.1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://confluence.atlassian.com/display/JIRA/JIRA+Security+Advisory+2010-04-16
- http://www.securityfocus.com/bid/39485
- http://secunia.com/advisories/39353
- http://jira.atlassian.com/browse/JRA-20995
- http://jira.atlassian.com/browse/JRA-21004
- http://www.openwall.com/lists/oss-security/2010/04/16/4
- http://www.openwall.com/lists/oss-security/2010/04/16/3
- https://exchange.xforce.ibmcloud.com/vulnerabilities/57828
Frequently Asked Questions
What is the severity of CVE-2010-1165?
CVE-2010-1165 has a high severity rating due to the potential for remote code execution.
How do I fix CVE-2010-1165?
To fix CVE-2010-1165, upgrade to a patched version of Atlassian JIRA that addresses this vulnerability.
What versions of Atlassian JIRA are affected by CVE-2010-1165?
CVE-2010-1165 affects Atlassian JIRA versions 3.12 through 4.1.
Can CVE-2010-1165 be exploited remotely?
Yes, CVE-2010-1165 can be exploited remotely by authenticated administrators.
What types of attacks are possible with CVE-2010-1165?
CVE-2010-1165 allows for arbitrary code execution through file uploads.
- agent/references
- agent/type
- agent/remedy
- collector/mitre-cve
- source/MITRE
- agent/weakness
- agent/author
- agent/severity
- agent/description
- agent/first-publish-date
- collector/nvd-index
- agent/software-canonical-lookup-request
- collector/nvd-historical
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- agent/last-modified-date
- agent/source
- agent/softwarecombine
- agent/tags
- agent/event
- vendor/atlassian
- canonical/atlassian jira
- version/atlassian jira/3.12
- version/atlassian jira/3.12.1
- version/atlassian jira/3.12.2
- version/atlassian jira/3.12.3
- version/atlassian jira/3.13
- version/atlassian jira/3.13.1
- version/atlassian jira/3.13.2
- version/atlassian jira/3.13.3
- version/atlassian jira/3.13.4
- version/atlassian jira/3.13.5
- version/atlassian jira/4.0
- version/atlassian jira/4.0.1
- version/atlassian jira/4.0.2
- version/atlassian jira/4.1