• Type: Public Security Vulnerability
• Resolution: Fixed
• Priority: Low
• Fix Version/s: 8.5.13, 8.13.5, 8.15.1, 8.16.0
• Affects Version/s: 8.5.0, 8.13.0, 8.15.0
• Component/s: None
• Labels:

  • CVE-2021-26071
  • advisory
  • advisory-released
  • dont-import
  • security

[JRASERVER-72233] CSRF in the SetFeatureEnabled.jspa resource - CVE-2021-26071

Security Metrics Bot made changes - 16/Sep/2021 5:28 AM

CVE ID

New: CVE-2021-26071

David Black made changes - 01/Apr/2021 2:23 AM

Labels

Original: CVE-2021-26071 advisory advisory-to-release dont-import security

New: CVE-2021-26071 advisory advisory-released dont-import security

David Black made changes - 01/Apr/2021 2:23 AM

Security

Original: Reporter and Atlassian Staff [ 10751 ]

Collapse comment: David Black added a comment - 31/Mar/2021 6:11 AM

David Black added a comment - 31/Mar/2021 6:11 AM

This is an independent assessment and you should evaluate its applicability to your own IT environment.

CVSS v3 score: 3.5 => Low severity

Exploitability Metrics

Attack Vector	Network
Attack Complexity	Low
Privileges Required	Low
User Interaction	Required

Scope Metric

Scope	Unchanged

Impact Metrics

Confidentiality	Low
Integrity	None
Availability	None

https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N

Expand comment: David Black added a comment - 31/Mar/2021 6:11 AM

David Black added a comment - 31/Mar/2021 6:11 AM This is an independent assessment and you should evaluate its applicability to your own IT environment. CVSS v3 score: 3.5 => Low severity Exploitability Metrics Attack Vector Network Attack Complexity Low Privileges Required Low User Interaction Required Scope Metric Scope Unchanged Impact Metrics Confidentiality Low Integrity None Availability None https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N

David Black made changes - 31/Mar/2021 5:55 AM

Labels

Original: advisory advisory-to-release dont-import security

New: CVE-2021-26071 advisory advisory-to-release dont-import security

David Black made changes - 31/Mar/2021 5:55 AM

Summary

Original: CSRF in the SetFeatureEnabled.jspa resource - CVE-2021-XXX

New: CSRF in the SetFeatureEnabled.jspa resource - CVE-2021-26071

David Black made changes - 31/Mar/2021 5:53 AM

Description

Original: The SetFeatureEnabled.jspa resource in Jira Server and Data Center before version 8.5.13, from version 8.6.0 before version 8.13.5, and from version 8.14.0 before version 8.15.1 allows remote anonymous attackers to enable and disable Jira Software configuration via a cross-site request forgery (CSRF) vulnerability   *Affected versions:*  * version < 8.5.13  * 8.6.0 ≤ version < 8.13.5  * 8.14.0 ≤ version < 8.15.1 *Fixed versions:*  * 8.5.13  * 8.13.5  * 8.15.1

New: The SetFeatureEnabled.jspa resource in Jira Server and Data Center before version 8.5.13, from version 8.6.0 before version 8.13.5, and from version 8.14.0 before version 8.15.1 allows remote anonymous attackers to enable and disable Jira Software configuration via a cross-site request forgery (CSRF) vulnerability.   *Affected versions:*  * version < 8.5.13  * 8.6.0 ≤ version < 8.13.5  * 8.14.0 ≤ version < 8.15.1 *Fixed versions:*  * 8.5.13  * 8.13.5  * 8.15.1

David Black made changes - 31/Mar/2021 5:52 AM

Security

New: Reporter and Atlassian Staff [ 10751 ]

David Black made changes - 31/Mar/2021 5:51 AM

Security

Original: Atlassian Staff [ 10750 ]

David Black made changes - 31/Mar/2021 5:50 AM

Description

Original: The

New: The SetFeatureEnabled.jspa resource in Jira Server and Data Center before version 8.5.13, from version 8.6.0 before version 8.13.5, and from version 8.14.0 before version 8.15.1 allows remote anonymous attackers to enable and disable Jira Software configuration via a cross-site request forgery (CSRF) vulnerability   *Affected versions:*  * version < 8.5.13  * 8.6.0 ≤ version < 8.13.5  * 8.14.0 ≤ version < 8.15.1 *Fixed versions:*  * 8.5.13  * 8.13.5  * 8.15.1

Load more older events