Uploaded image for project: 'Jira Data Center'
  1. Jira Data Center
  2. JRASERVER-72575

Information disclosure issue in the comment notification feature - CVE-2021-39120

    • 4.3
    • Medium
    • CVE-2021-39120

      Affected versions of Atlassian Jira Server and Data Center allow remote attackers to learn when a restricted comment is removed from an issue via an information disclosure vulnerability in the comment notification functionality.

      The affected versions are before version 8.18.0.

      *Affected versions:*

      • version < 8.18.0

      *Fixed versions:*

      • 8.18.0

          Form Name

            [JRASERVER-72575] Information disclosure issue in the comment notification feature - CVE-2021-39120

            I think this critical bug has been backported to 8.13.19 LTS releases, I would appreciate if Atlassian community update fixed versions list

            Pandiyan Muthuraman added a comment - I think this critical bug has been backported to 8.13.19 LTS releases, I would appreciate if Atlassian community update fixed versions list

            Is this fixed for 8.20.X series?

            Ishwar Vibhuti added a comment - Is this fixed for 8.20.X series?

            Emily Lv added a comment -

            Any workaround in 8.13.X LTS ?

            Emily Lv added a comment - Any workaround in 8.13.X LTS ?

            Kiran John added a comment -

            The vulnerability was reported on 02/Jul/2021 as per the Atlassian vulnerability bug-fix policy, 90 days from the reporting date (Security bug fix Service Level Objectives (SLO))

            CVE-2021-39120 : CVSS v3 score: 4.3 => Medium severity

            • CriticalHigh, and Medium severity bugs (CVSS v2 score >= 3, CVSS v3 score >= 4) to be fixed in the product within 90 days of being reported.

            This bug more than 90 days,  what is the plan for fix Release, how a customer can escalate to the next level? 

            Kiran John added a comment - The vulnerability was reported on 02/Jul/2021 as per the Atlassian vulnerability bug-fix policy, 90 days from the reporting date (Security bug fix Service Level Objectives (SLO)) CVE-2021-39120 : CVSS v3 score: 4.3 => Medium severity Critical ,  High , and  Medium  severity bugs (CVSS v2 score >= 3, CVSS v3 score >= 4) to be fixed in the product within 90 days of being reported. This bug more than 90 days,  what is the plan for fix Release, how a customer can escalate to the next level? 

            Wanted to confirm if is this also fixed for LTS version, if yes than kindly provide version. If no, than kindly share the version you are planning to patch this in. (Also let us know in case this is not impacting to LTS version.)

            Ishwar Vibhuti added a comment - Wanted to confirm if is this also fixed for LTS version, if yes than kindly provide version. If no, than kindly share the version you are planning to patch this in. (Also let us know in case this is not impacting to LTS version.)

            Is it fixed for 8.13 LTS? 

            Fabrizio Galletti (Getconnected) added a comment - Is it fixed for 8.13 LTS? 

            AB added a comment - - edited

            This is an independent assessment and you should evaluate its applicability to your own IT environment.

            CVSS v3 score: 4.3 => Medium severity

            Exploitability Metrics

            Attack Vector Network
            Attack Complexity Low
            Privileges Required None
            User Interaction Required

            Scope Metric

            Scope Unchanged

            Impact Metrics

            Confidentiality Low
            Integrity None
            Availability None

            https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

            AB added a comment - - edited This is an independent assessment and you should evaluate its applicability to your own IT environment. CVSS v3 score: 4.3 => Medium severity Exploitability Metrics Attack Vector Network Attack Complexity Low Privileges Required None User Interaction Required Scope Metric Scope Unchanged Impact Metrics Confidentiality Low Integrity None Availability None https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

              Unassigned Unassigned
              security-metrics-bot Security Metrics Bot
              Votes:
              0 Vote for this issue
              Watchers:
              21 Start watching this issue

                Created:
                Updated:
                Resolved: