[JRASERVER-72573] Cached content persisting after disabling anonymous access for allowlist URLs - CVE-2021-39113 - Create and track feature requests for Atlassian products.

Type: Public Security Vulnerability
Resolution: Fixed
Priority: Low (View bug fix roadmap)
Fix Version/s: 8.18.0, 8.13.9
Affects Version/s: 8.17.0, 8.13.8
Component/s: None
Labels:

CVSS Score:
4
CVSS Severity:
Medium
CVE ID:
CVE-2021-39113

Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to continue to view cached content even after losing permissions, via a Broken Access Control vulnerability in the allowlist feature.

The affected versions are before version 8.13.9, and from version 8.14.0 before 8.18.0.

*Affected versions:*

version < 8.13.9
8.14.0 ≤ version < 8.18.0

*Fixed versions:*

8.13.9
8.18.0

mentioned in: Page Failed to load; Page Failed to load; Page Failed to load

Form Name

AB added a comment - 25/Aug/2021 4:23 AM - edited

This is an independent assessment and you should evaluate its applicability to your own IT environment.

CVSS v3 score: 4.0 => Medium severity

Exploitability Metrics

Attack Vector	Network
Attack Complexity	High
Privileges Required	None
User Interaction	None

Scope Metric

Scope	Changed

Impact Metrics

Confidentiality	Low
Integrity	None
Availability	None

https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N

AB added a comment - 25/Aug/2021 4:23 AM - edited This is an independent assessment and you should evaluate its applicability to your own IT environment. CVSS v3 score: 4.0 => Medium severity Exploitability Metrics Attack Vector Network Attack Complexity High Privileges Required None User Interaction None Scope Metric Scope Changed Impact Metrics Confidentiality Low Integrity None Availability None https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N

Assignee:: Unassigned

Reporter:: Security Metrics Bot

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Created:: 02/Jul/2021 12:39 AM

Updated:: 17/Oct/2021 8:24 PM

Resolved:: 01/Sep/2021 11:02 PM

Details

Description

Attachments

Issue Links

Forms

Activity

[JRASERVER-72573] Cached content persisting after disabling anonymous access for allowlist URLs - CVE-2021-39113

Collapse comment: AB added a comment - 25/Aug/2021 4:23 AM, Edited by Security Metrics Bot - 26/Aug/2021 1:47 AM

Expand comment: AB added a comment - 25/Aug/2021 4:23 AM, Edited by Security Metrics Bot - 26/Aug/2021 1:47 AM

People

Dates