[%22Vendor] Gadget resource makeRequest defeats behind-the-firewall protection of app-linked resources - CVE-2021-26070 - Create and track feature requests for Atlassian products.

Type: Public Security Vulnerability
Resolution: Fixed
Priority: Low
Fix Version/s: 8.13.3, 8.14.1, 8.15.0
Affects Version/s: 8.5.0, 8.13.0, 8.14.0
Component/s: None
Labels:

CVSS Score:
7.5
CVSS Severity:
High
CVE ID:
CVE-2021-26070

Affected versions of Atlassian Jira Server and Data Center allow remote attackers to evade behind-the-firewall protection of app-linked resources via a Broken Authentication vulnerability in the `makeRequest` gadget resource.

The affected versions are before version 8.13.3, and from version 8.14.0 before 8.14.1.

Affected versions:

version < 8.13.3
8.14.0 ≤ version < 8.14.1

Fixed versions:

8.13.3
8.14.1
8.15.0

Patrice Lassalle added a comment - 06/Apr/2021 1:32 PM

Is it planned to include the fix in any 8.5 versions?

Patrice Lassalle added a comment - 06/Apr/2021 1:32 PM Is it planned to include the fix in any 8.5 versions?

David Black added a comment - 30/Mar/2021 1:36 AM

Hi a197d08fc5ad,
We have updated the CVE id reference for this issue.

David Black added a comment - 30/Mar/2021 1:36 AM Hi a197d08fc5ad , We have updated the CVE id reference for this issue.

Jay Kapadiya added a comment - 26/Mar/2021 11:16 AM

NVD suggests this vulnerability to be associated with CVE ID: CVE-2021-26070

Anything on the same??

Jay Kapadiya added a comment - 26/Mar/2021 11:16 AM NVD suggests this vulnerability to be associated with CVE ID: CVE-2021-26070 Anything on the same??

AB added a comment - 04/Feb/2021 1:09 AM

This is an independent assessment and you should evaluate its applicability to your own IT environment.

CVSS v3 score: 7.2 => High severity

Exploitability Metrics

Attack Vector	Network
Attack Complexity	Low
Privileges Required	None
User Interaction	None

Scope Metric

Scope	Changed

Impact Metrics

Confidentiality	Low
Integrity	Low
Availability	None

AB added a comment - 04/Feb/2021 1:09 AM This is an independent assessment and you should evaluate its applicability to your own IT environment. CVSS v3 score: 7.2 => High severity Exploitability Metrics Attack Vector Network Attack Complexity Low Privileges Required None User Interaction None Scope Metric Scope Changed Impact Metrics Confidentiality Low Integrity Low Availability None

Assignee:: Unassigned

Reporter:: Security Metrics Bot

Votes:: 0 Vote for this issue

Watchers:: 6 Start watching this issue

Created:: 27/Jan/2021 4:01 AM

Updated:: 01/Sep/2021 6:01 AM

Resolved:: 04/Feb/2021 1:09 AM

Details

Description

Attachments

Forms

Activity

[JRASERVER-72029] Gadget resource makeRequest defeats behind-the-firewall protection of app-linked resources - CVE-2021-26070

Collapse comment: Patrice Lassalle added a comment - 06/Apr/2021 1:32 PM

Expand comment: Patrice Lassalle added a comment - 06/Apr/2021 1:32 PM

Collapse comment: David Black added a comment - 30/Mar/2021 1:36 AM

Expand comment: David Black added a comment - 30/Mar/2021 1:36 AM

Collapse comment: Jay Kapadiya added a comment - 26/Mar/2021 11:16 AM

Expand comment: Jay Kapadiya added a comment - 26/Mar/2021 11:16 AM

Collapse comment: AB added a comment - 04/Feb/2021 1:09 AM

Expand comment: AB added a comment - 04/Feb/2021 1:09 AM

People

Dates