XML eXternal Entity injection (XXE) vulnerability

Created by Andy Brook [Plugin People]
Last updated: Jan 10, 2022
1 min read

Hello,

We are writing to inform you of an XXE security vulnerability that was recently identified in the Marketplace app “Enterprise Mail Handler for Jira Server/DC” by Michael Anastasakis from Klarna (thanks!). All historic versions (v3.3.73 and below) of JEMH Server/DC are affected.

Severity

The vulnerability has been rated LOW, according to the scale published on the Common Vulnerability Scoring System (CVSS) due to an authenticated Admin account being required. The vulnerability is not likely to have had any impact on you, with a worst case scenario that an Admin would be able to access text content from files that they may not already have access to (e.g. due to role segregation).

Timeline

The vulnerability was identified earlier this week, at which point we immediately validated the attack and took steps to fix, which was done by centralising XML parsing to enforce a block on this kind of attack for all usages and adding integration tests to validate it remains fixed.

Next Steps

In order to fix the vulnerability in your environment, directions for updating app to fixed versions, released on 7 JAN 2022:

  • v3.3.74 (Server) compatible with Jira 8.0.0+

  • v3.3.75 (DC) compatible with Jira 8.0.0+

If you have any questions, please feel free to raise a support request at https://thepluginpeople.atlassian.net/servicedesk/customer/portal/1 referencing XXE.

Sincerely,

Andy Brook

The Plugin People