Uploaded image for project: 'Jira Data Center'
  1. Jira Data Center
  2. JRASERVER-72003

Anonymous User is Able to Access Query Component JQL Endpoint - CVE-2021-39127

XMLWordPrintable

    • 5.3
    • Medium
    • CVE-2021-39127

      Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to the query component JQL endpoint via a Broken Access Control vulnerability (BAC) vulnerability.

      The affected versions are before version 8.5.10, and from version 8.6.0 before 8.13.1. 

      Affected versions:

      • version < 8.5.10
      • 8.6.0 ≤ version < 8.13.1 

       Fixed versions:

      • 8.13.1
      • 8.5.10

            [JRASERVER-72003] Anonymous User is Able to Access Query Component JQL Endpoint - CVE-2021-39127

            Security Metrics Bot made changes -
            CVE ID New: CVE-2021-39127
            AB made changes -
            Resolution New: Fixed [ 1 ]
            Security Original: Atlassian Staff [ 10750 ]
            Status Original: Draft [ 12872 ] New: Published [ 12873 ]
            AB made changes -
            Labels Original: advisory advisory-to-release dont-import security New: CVE-2021-39127 advisory advisory-to-release dont-import security
            AB made changes -
            Summary Original: Anonymous User is Able to Access Query Component JQL Endpoint - CVE registration for this issue is in progress New: Anonymous User is Able to Access Query Component JQL Endpoint - CVE-2021-39127
            AB made changes -
            Summary Original: Anonymous User is Able to Access Query Component JQL Endpoint New: Anonymous User is Able to Access Query Component JQL Endpoint - CVE registration for this issue is in progress
            AB made changes -
            Summary Original: Privilege escalation: Anonymous User is Able to Access Query Component JQL Endpoint New: Anonymous User is Able to Access Query Component JQL Endpoint
            AB made changes -
            Description Original: Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to the query component JQL endpoint via a Broken Access Control vulnerability (BAC) vulnerability.

            The affected versions are before version 8.5.10, and from version 8.6.0 before 8.13.1. 

            *Affected versions:*
             *  version < 8.5.10
             * 8.6.0 ≤ version < 8.13.1 

             *Fixed versions:*
             * 8.13.1
             * 8.5.10             		New: Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to the query component JQL endpoint via a Broken Access Control vulnerability (BAC) vulnerability.

            The affected versions are before version 8.5.10, and from version 8.6.0 before 8.13.1. 

            *Affected versions:*
             * version < 8.5.10
             * 8.6.0 ≤ version < 8.13.1 

             *Fixed versions:*
             * 8.13.1
             * 8.5.10
            AB made changes -
            Description Original: Affected versions of Atlassian Jira Server and Data Center allow remote attackers to access SLAs for private projects for which they do not have view permissions via a Broken Access Control vulnerability (BAC) vulnerability.

             

            The affected versions are before version 8.5.10, and from version 8.6.0 before 8.13.1.

             

            *Affected versions:*
             *  version < 8.5.10
             * 8.6.0 ≤ version < 8.13.1 

             *Fixed versions:*
             * 8.13.1
             * 8.5.10             		New: Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to the query component JQL endpoint via a Broken Access Control vulnerability (BAC) vulnerability.

            The affected versions are before version 8.5.10, and from version 8.6.0 before 8.13.1. 

            *Affected versions:*
             *  version < 8.5.10
             * 8.6.0 ≤ version < 8.13.1 

             *Fixed versions:*
             * 8.13.1
             * 8.5.10
            AB made changes -
            Summary Original: Privilege escalation:- Unauth User is Able to Access Query Component JQL Endpoint New: Privilege escalation: Anonymous User is Able to Access Query Component JQL Endpoint
            Colin Xu made changes -
            Description Original: Affected versions of Atlassian Jira Server and Data Center allow remote attackers to access SLAs for private projects for which they do not have view permissions via a Broken Access Control vulnerability (BAC) vulnerability.

             

            The affected versions are before version 8.5.10, and from version 8.6.0 before 8.13.1.

             

            *Affected versions:*
             *  version < 8.5.10
             * 8.6.0 ≤ version < 8.13.1 

             *Fixed versions:*
             * 8.13.1
             * 8.5.10

            CVSSSLAOlderView
            ×             		New: Affected versions of Atlassian Jira Server and Data Center allow remote attackers to access SLAs for private projects for which they do not have view permissions via a Broken Access Control vulnerability (BAC) vulnerability.

             

            The affected versions are before version 8.5.10, and from version 8.6.0 before 8.13.1.

             

            *Affected versions:*
             *  version < 8.5.10
             * 8.6.0 ≤ version < 8.13.1 

             *Fixed versions:*
             * 8.13.1
             * 8.5.10

              Unassigned Unassigned
              security-metrics-bot Security Metrics Bot
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated:
                Resolved: