[JRASERVER-72293] Anonymous users are able to view user information through the /rest/api/2/search endpoint - CVE-2021-39122 - Create and track feature requests for Atlassian products.

Type: Public Security Vulnerability
Resolution: Fixed
Priority: Low (View bug fix roadmap)
Fix Version/s: 8.5.13, 8.13.5, 8.15.1, 8.16.0
Affects Version/s: 8.8.1, 8.5.11, 8.5.12
Component/s: None
Labels:

CVSS Score:
3.6
CVSS Severity:
Low
CVE ID:
CVE-2021-39122

Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to view users' emails via an Information Disclosure vulnerability in the /rest/api/2/search endpoint.

The affected versions are before version 8.5.13, from version 8.6.0 before 8.13.5, and from version 8.14.0 before 8.15.1.

*Affected versions:*

version < 8.5.13
8.6.0 ≤ version < 8.13.5
8.14.0 ≤ version < 8.15.1

*Fixed versions:*

8.5.13
8.13.5
8.15.1
8.16.0

relates to

JRASERVER-72272 Information Disclosure using JQL function membersOf - CVE-2020-36286

Closed

VULN-204886 Failed to load

AB added a comment - 01/Sep/2021 11:45 PM - edited

This is an independent assessment and you should evaluate its applicability to your own IT environment.

CVSS v3 score: 3.7 => Low severity

Exploitability Metrics

Attack Vector	Network
Attack Complexity	High
Privileges Required	None
User Interaction	None

Scope Metric

Scope	Unchanged

Impact Metrics

Confidentiality	Low
Integrity	None
Availability	None

https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/CR:L/MPR:L/MC:L

AB added a comment - 01/Sep/2021 11:45 PM - edited This is an independent assessment and you should evaluate its applicability to your own IT environment. CVSS v3 score: 3.7 => Low severity Exploitability Metrics Attack Vector Network Attack Complexity High Privileges Required None User Interaction None Scope Metric Scope Unchanged Impact Metrics Confidentiality Low Integrity None Availability None https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/CR:L/MPR:L/MC:L

Assignee:: Unassigned

Reporter:: Security Metrics Bot

Votes:: 0 Vote for this issue

Watchers:: 0 Start watching this issue

Created:: 07/Apr/2021 6:10 AM

Updated:: 16/Sep/2021 5:28 AM

Resolved:: 08/Sep/2021 2:07 AM

Details

Description

Attachments

Issue Links

Forms

Activity

[JRASERVER-72293] Anonymous users are able to view user information through the /rest/api/2/search endpoint - CVE-2021-39122

Collapse comment: AB added a comment - 01/Sep/2021 11:45 PM, Edited by Security Metrics Bot - 01/Sep/2021 11:53 PM

Expand comment: AB added a comment - 01/Sep/2021 11:45 PM, Edited by Security Metrics Bot - 01/Sep/2021 11:53 PM

People

Dates