[JRASERVER-72293] Anonymous users are able to view user information through the /rest/api/2/search endpoint - CVE-2021-39122 - Create and track feature requests for Atlassian products.

Type: Public Security Vulnerability
Resolution: Fixed
Priority: Low (View bug fix roadmap)
Fix Version/s: 8.5.13, 8.13.5, 8.15.1, 8.16.0
Affects Version/s: 8.8.1, 8.5.11, 8.5.12
Component/s: None
Labels:

CVSS Score:
3.6
CVSS Severity:
Low
CVE ID:
CVE-2021-39122

Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to view users' emails via an Information Disclosure vulnerability in the /rest/api/2/search endpoint.

The affected versions are before version 8.5.13, from version 8.6.0 before 8.13.5, and from version 8.14.0 before 8.15.1.

*Affected versions:*

version < 8.5.13
8.6.0 ≤ version < 8.13.5
8.14.0 ≤ version < 8.15.1

*Fixed versions:*

8.5.13
8.13.5
8.15.1
8.16.0

relates to

JRASERVER-72272 Information Disclosure using JQL function membersOf - CVE-2020-36286

Closed

VULN-204886 Failed to load

Security Metrics Bot made changes - 16/Sep/2021 5:28 AM

CVE ID

New: CVE-2021-39122

AB made changes - 08/Sep/2021 2:07 AM

Security

Original: Atlassian Staff [ 10750 ]

AB made changes - 08/Sep/2021 2:07 AM

Resolution		New: Fixed [ 1 ]
Status	Original: Draft [ 12872 ]	New: Published [ 12873 ]

AB made changes - 08/Sep/2021 2:07 AM

Labels

Original: advisory advisory-released dont-import security

New: CVE-2021-39122 advisory advisory-released dont-import security

AB made changes - 08/Sep/2021 2:07 AM

Summary

Original: Anonymous users are able to view user information through the /rest/api/2/search endpoint - CVE registration for this issue is happening already

New: Anonymous users are able to view user information through the /rest/api/2/search endpoint - CVE-2021-39122

AB made changes - 06/Sep/2021 1:47 AM

Description

Original: Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to view user information via an Information Disclosure vulnerability in the /rest/api/2/search endpoint.

The affected versions are before version 8.5.13, from version 8.6.0 before 8.13.5, and from version 8.14.0 before 8.15.1.

**Affected versions:**

* version < 8.5.13
* 8.6.0 ≤ version < 8.13.5
* 8.14.0 ≤ version < 8.15.1

**Fixed versions:**

* 8.5.13
* 8.13.5
* 8.15.1
* 8.16.0

New: Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to view users' emails via an Information Disclosure vulnerability in the /rest/api/2/search endpoint.

The affected versions are before version 8.5.13, from version 8.6.0 before 8.13.5, and from version 8.14.0 before 8.15.1.

**Affected versions:**

* version < 8.5.13
* 8.6.0 ≤ version < 8.13.5
* 8.14.0 ≤ version < 8.15.1

**Fixed versions:**

* 8.5.13
* 8.13.5
* 8.15.1
* 8.16.0

AB added a comment - 01/Sep/2021 11:45 PM - edited

This is an independent assessment and you should evaluate its applicability to your own IT environment.

CVSS v3 score: 3.7 => Low severity

Exploitability Metrics

Attack Vector	Network
Attack Complexity	High
Privileges Required	None
User Interaction	None

Scope Metric

Scope	Unchanged

Impact Metrics

Confidentiality	Low
Integrity	None
Availability	None

https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/CR:L/MPR:L/MC:L

AB added a comment - 01/Sep/2021 11:45 PM - edited This is an independent assessment and you should evaluate its applicability to your own IT environment. CVSS v3 score: 3.7 => Low severity Exploitability Metrics Attack Vector Network Attack Complexity High Privileges Required None User Interaction None Scope Metric Scope Unchanged Impact Metrics Confidentiality Low Integrity None Availability None https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/CR:L/MPR:L/MC:L

AB made changes - 01/Sep/2021 11:43 PM

Summary

Original: Anonymous users are able to view user information through the /rest/api/2/search endpoint

New: Anonymous users are able to view user information through the /rest/api/2/search endpoint - CVE registration for this issue is happening already

AB made changes - 01/Sep/2021 11:43 PM

Description

Original: Affected versions of Atlassian Jira Server and Data Center allow remote attackers to view sensitive information via an Information Disclosure vulnerability in {component}.

((Use the `; versions` script here to list the fixed and affected versions))

New: Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to view user information via an Information Disclosure vulnerability in the /rest/api/2/search endpoint.

The affected versions are before version 8.5.13, from version 8.6.0 before 8.13.5, and from version 8.14.0 before 8.15.1.

**Affected versions:**

* version < 8.5.13
* 8.6.0 ≤ version < 8.13.5
* 8.14.0 ≤ version < 8.15.1

**Fixed versions:**

* 8.5.13
* 8.13.5
* 8.15.1
* 8.16.0

AB made changes - 01/Sep/2021 11:42 PM

Summary

Original: Information Disclosure using JQL function membersOf to Anonymous REST API

New: Anonymous users are able to view user information through the /rest/api/2/search endpoint

Assignee:: Unassigned

Reporter:: Security Metrics Bot

Votes:: 0 Vote for this issue

Watchers:: 0 Start watching this issue

Created:: 07/Apr/2021 6:10 AM

Updated:: 16/Sep/2021 5:28 AM

Resolved:: 08/Sep/2021 2:07 AM

Details

Description

Attachments

Issue Links

Forms

Activity

[JRASERVER-72293] Anonymous users are able to view user information through the /rest/api/2/search endpoint - CVE-2021-39122

Collapse comment: AB added a comment - 01/Sep/2021 11:45 PM, Edited by Security Metrics Bot - 01/Sep/2021 11:53 PM

Expand comment: AB added a comment - 01/Sep/2021 11:45 PM, Edited by Security Metrics Bot - 01/Sep/2021 11:53 PM

People

Dates