[JRASERVER-72575] Information disclosure issue in the comment notification feature - CVE-2021-39120 - Create and track feature requests for Atlassian products.

Type: Public Security Vulnerability
Resolution: Fixed
Priority: Low (View bug fix roadmap)
Fix Version/s: 8.18.0, 8.18.1, 8.13.14, 8.13.19
Affects Version/s: 8.5.15, 8.13.7
Component/s: None
Labels:

CVSS Score:
4.3
CVSS Severity:
Medium
CVE ID:
CVE-2021-39120

Affected versions of Atlassian Jira Server and Data Center allow remote attackers to learn when a restricted comment is removed from an issue via an information disclosure vulnerability in the comment notification functionality.

The affected versions are before version 8.18.0.

*Affected versions:*

version < 8.18.0

*Fixed versions:*

8.18.0

is related to: JSEC-520 You do not have permission to view this issue; JSEC-523 You do not have permission to view this issue

mentioned in: Page Failed to load; Page Failed to load

Form Name

Pandiyan Muthuraman added a comment - 25/Mar/2022 6:43 PM

I think this critical bug has been backported to 8.13.19 LTS releases, I would appreciate if Atlassian community update fixed versions list

Pandiyan Muthuraman added a comment - 25/Mar/2022 6:43 PM I think this critical bug has been backported to 8.13.19 LTS releases, I would appreciate if Atlassian community update fixed versions list

Ishwar Vibhuti added a comment - 23/Nov/2021 1:13 PM

Is this fixed for 8.20.X series?

Ishwar Vibhuti added a comment - 23/Nov/2021 1:13 PM Is this fixed for 8.20.X series?

Emily Lv added a comment - 21/Oct/2021 3:08 AM

Any workaround in 8.13.X LTS ?

Emily Lv added a comment - 21/Oct/2021 3:08 AM Any workaround in 8.13.X LTS ?

Kiran John added a comment - 15/Oct/2021 3:35 PM

The vulnerability was reported on 02/Jul/2021 as per the Atlassian vulnerability bug-fix policy, 90 days from the reporting date (Security bug fix Service Level Objectives (SLO))

CVE-2021-39120 : CVSS v3 score: 4.3 => Medium severity

Critical, High, and Medium severity bugs (CVSS v2 score >= 3, CVSS v3 score >= 4) to be fixed in the product within 90 days of being reported.

This bug more than 90 days, what is the plan for fix Release, how a customer can escalate to the next level?

Kiran John added a comment - 15/Oct/2021 3:35 PM The vulnerability was reported on 02/Jul/2021 as per the Atlassian vulnerability bug-fix policy, 90 days from the reporting date (Security bug fix Service Level Objectives (SLO)) CVE-2021-39120 : CVSS v3 score: 4.3 => Medium severity Critical , High , and Medium severity bugs (CVSS v2 score >= 3, CVSS v3 score >= 4) to be fixed in the product within 90 days of being reported. This bug more than 90 days, what is the plan for fix Release, how a customer can escalate to the next level?

Ishwar Vibhuti added a comment - 14/Oct/2021 4:44 PM

Wanted to confirm if is this also fixed for LTS version, if yes than kindly provide version. If no, than kindly share the version you are planning to patch this in. (Also let us know in case this is not impacting to LTS version.)

Ishwar Vibhuti added a comment - 14/Oct/2021 4:44 PM Wanted to confirm if is this also fixed for LTS version, if yes than kindly provide version. If no, than kindly share the version you are planning to patch this in. (Also let us know in case this is not impacting to LTS version.)

Fabrizio Galletti (Getconnected) added a comment - 11/Oct/2021 9:39 AM

Is it fixed for 8.13 LTS?

Fabrizio Galletti (Getconnected) added a comment - 11/Oct/2021 9:39 AM Is it fixed for 8.13 LTS?

AB added a comment - 30/Aug/2021 3:43 AM - edited

This is an independent assessment and you should evaluate its applicability to your own IT environment.

CVSS v3 score: 4.3 => Medium severity

Exploitability Metrics

Attack Vector	Network
Attack Complexity	Low
Privileges Required	None
User Interaction	Required

Scope Metric

Scope	Unchanged

Impact Metrics

Confidentiality	Low
Integrity	None
Availability	None

https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

AB added a comment - 30/Aug/2021 3:43 AM - edited This is an independent assessment and you should evaluate its applicability to your own IT environment. CVSS v3 score: 4.3 => Medium severity Exploitability Metrics Attack Vector Network Attack Complexity Low Privileges Required None User Interaction Required Scope Metric Scope Unchanged Impact Metrics Confidentiality Low Integrity None Availability None https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

Assignee:: Unassigned

Reporter:: Security Metrics Bot

Votes:: 0 Vote for this issue

Watchers:: 21 Start watching this issue

Created:: 02/Jul/2021 12:53 AM

Updated:: 28/Mar/2022 5:27 PM

Resolved:: 30/Aug/2021 3:43 AM

Jira Data Center

Details

Description

Attachments

Issue Links

Forms

Activity

[JRASERVER-72575] Information disclosure issue in the comment notification feature - CVE-2021-39120

Collapse comment: Pandiyan Muthuraman added a comment - 25/Mar/2022 6:43 PM

Expand comment: Pandiyan Muthuraman added a comment - 25/Mar/2022 6:43 PM

Collapse comment: Ishwar Vibhuti added a comment - 23/Nov/2021 1:13 PM

Expand comment: Ishwar Vibhuti added a comment - 23/Nov/2021 1:13 PM

Collapse comment: Emily Lv added a comment - 21/Oct/2021 3:08 AM

Expand comment: Emily Lv added a comment - 21/Oct/2021 3:08 AM

Collapse comment: Kiran John added a comment - 15/Oct/2021 3:35 PM

Expand comment: Kiran John added a comment - 15/Oct/2021 3:35 PM

Collapse comment: Ishwar Vibhuti added a comment - 14/Oct/2021 4:44 PM

Expand comment: Ishwar Vibhuti added a comment - 14/Oct/2021 4:44 PM

Collapse comment: Fabrizio Galletti (Getconnected) added a comment - 11/Oct/2021 9:39 AM

Expand comment: Fabrizio Galletti (Getconnected) added a comment - 11/Oct/2021 9:39 AM

Collapse comment: AB added a comment - 30/Aug/2021 3:43 AM, Edited by Security Metrics Bot - 01/Sep/2021 11:53 PM

Expand comment: AB added a comment - 30/Aug/2021 3:43 AM, Edited by Security Metrics Bot - 01/Sep/2021 11:53 PM

People

Dates