[CONFSERVER-67893] Pre-Authorization Arbitrary File Read in /s/ endpoint - CVE-2021-26085 - Create and track feature requests for Atlassian products.

Type: Public Security Vulnerability
Resolution: Fixed
Priority: Low
Fix Version/s: 7.4.10, 7.12.3, 7.13.0
Affects Version/s: 7.6.3, 7.8.3, 7.9.0, 7.10.0, 7.10.1
Component/s: None
Labels:

CVSS Score:
5.2
CVSS Severity:
Medium
CVE ID:
CVE-2021-26085

Affected versions of Atlassian Confluence Server allow remote attackers to view restricted resources via a Pre-Authorization Arbitrary File Read vulnerability in the /s/ endpoint.

The affected versions are before version 7.4.10, and from version 7.5.0 before 7.12.3.

This vulnerability was discovered by Amit Laish, GE Digital, Cyber Security Lab.

Affected versions:

version < 7.4.10
7.5.0 ≤ version < 7.12.3

Fixed versions:

7.4.10
7.12.3
7.13.0
7.14.0

is related to

CONFSERVER-60469 Pre-Authorization Limited Arbitrary File Read in Confluence Server - CVE-2020-29448

Published

JRASERVER-72695 Limited Remote File Read in Jira Software Server - CVE-2021-26086

Published

mentioned in: Page Failed to load; Page Failed to load; Page Failed to load

Form Name

Mandeep Jadon made changes - 21/Feb/2023 3:40 PM

Remote Link

New: This issue links to "Page (Confluence)" [ 733516 ]

Cathy S made changes - 01/Jun/2022 2:34 AM

Remote Link

New: This issue links to "Page (Confluence)" [ 647677 ]

Cathy S made changes - 22/Mar/2022 4:56 PM

Remote Link

New: This issue links to "Page (Confluence)" [ 628992 ]

Aleksandr Kuznetsov added a comment - 29/Nov/2021 9:27 PM - edited

Will the fix be prepared for Data Center v7.11.6 ?

Aleksandr Kuznetsov added a comment - 29/Nov/2021 9:27 PM - edited Will the fix be prepared for Data Center v7.11.6 ?

Thiago Masutti made changes - 11/Oct/2021 12:29 PM

Link

New: This issue is related to ~~JRASERVER-72695~~ [ ~~JRASERVER-72695~~ ]

Thiago Masutti made changes - 11/Oct/2021 12:29 PM

Link

New: This issue is related to ~~CONFSERVER-60469~~ [ ~~CONFSERVER-60469~~ ]

Thiago Masutti made changes - 11/Oct/2021 12:29 PM

Link

New: This issue is related to CONFSERVER-60313 [ CONFSERVER-60313 ]

Alfredo Hickman added a comment - 06/Oct/2021 9:38 PM

When's the fix for Atlassian cloud supposed to go live? We use Altassian cloud at my company and I've verified that I can read certain files without authentication in my account.

Alfredo Hickman added a comment - 06/Oct/2021 9:38 PM When's the fix for Atlassian cloud supposed to go live? We use Altassian cloud at my company and I've verified that I can read certain files without authentication in my account.

Security Metrics Bot made changes - 16/Sep/2021 5:27 AM

CVE ID

New: CVE-2021-26085

Rachel Robins made changes - 09/Sep/2021 1:43 AM

Fix Version/s

Original: 7.14.0 [ 94828 ]

Assignee:: Unassigned

Reporter:: Security Metrics Bot

Votes:: 0 Vote for this issue

Watchers:: 12 Start watching this issue

Created:: 21/Jul/2021 12:18 AM

Updated:: 21/Feb/2023 3:40 PM

Resolved:: 29/Jul/2021 2:35 AM

Details

Description

Attachments

Issue Links

Forms

Activity

[CONFSERVER-67893] Pre-Authorization Arbitrary File Read in /s/ endpoint - CVE-2021-26085

Collapse comment: Aleksandr Kuznetsov added a comment - 29/Nov/2021 9:27 PM, Edited by Aleksandr Kuznetsov - 29/Nov/2021 9:28 PM

Expand comment: Aleksandr Kuznetsov added a comment - 29/Nov/2021 9:27 PM, Edited by Aleksandr Kuznetsov - 29/Nov/2021 9:28 PM

Collapse comment: Alfredo Hickman added a comment - 06/Oct/2021 9:38 PM

Expand comment: Alfredo Hickman added a comment - 06/Oct/2021 9:38 PM

People

Dates