• Type: Public Security Vulnerability
• Resolution: Fixed
• Priority: Low (View bug fix roadmap)
• Fix Version/s: 8.5.18, 8.13.10, 8.18.2
• Affects Version/s: 8.18.0, 8.5.17, 8.13.9
• Component/s: None
• Labels:

  • CVE-2021-39121
  • advisory
  • advisory-released
  • dont-import
  • security

[JRASERVER-72715] Project key enumeration via the /rest/api/latest/projectvalidate/key endpoint - CVE-2021-39121

Security Metrics Bot made changes - 16/Sep/2021 5:27 AM

CVE ID

New: CVE-2021-39121

David Black made changes - 13/Sep/2021 6:00 AM

Labels

Original: CVE-2021-39121 advisory advisory-to-release dont-import security

New: CVE-2021-39121 advisory advisory-released dont-import security

AB made changes - 08/Sep/2021 1:46 AM

Security

Original: Atlassian Staff [ 10750 ]

AB made changes - 08/Sep/2021 1:46 AM

Resolution		New: Fixed [ 1 ]
Status	Original: Draft [ 12872 ]	New: Published [ 12873 ]

AB made changes - 08/Sep/2021 1:46 AM

Labels

Original: advisory advisory-to-release dont-import security

New: CVE-2021-39121 advisory advisory-to-release dont-import security

AB made changes - 08/Sep/2021 1:46 AM

Summary

Original: Project key enumeration via the /rest/api/latest/projectvalidate/key endpoint - CVE is in progress being registered

New: Project key enumeration via the /rest/api/latest/projectvalidate/key endpoint - CVE-2021-39121

AB made changes - 06/Sep/2021 1:48 AM

Description

Original: Affected versions of Atlassian Jira Server and Data Center allow remote attackers to enumerate the keys of private Jira projects via an Information Disclosure vulnerability in the /rest/api/latest/projectvalidate/key endpoint. The affected versions are before version 8.5.18, from version 8.6.0 before 8.13.10, and from version 8.14.0 before 8.18.2. **Affected versions:**  * version < 8.5.18  * 8.6.0 ≤ version < 8.13.10  * 8.14.0 ≤ version < 8.18.2 **Fixed versions:**  * 8.5.18  * 8.13.10  * 8.18.2

New: Affected versions of Atlassian Jira Server and Data Center allow authenticated remote attackers to enumerate the keys of private Jira projects via an Information Disclosure vulnerability in the /rest/api/latest/projectvalidate/key endpoint. The affected versions are before version 8.5.18, from version 8.6.0 before 8.13.10, and from version 8.14.0 before 8.18.2. **Affected versions:**  * version < 8.5.18  * 8.6.0 ≤ version < 8.13.10  * 8.14.0 ≤ version < 8.18.2 **Fixed versions:**  * 8.5.18  * 8.13.10  * 8.18.2

Brian Adeloye (Inactive) made changes - 02/Sep/2021 11:07 PM

Remote Link

New: This issue links to "Page (Confluence)" [ 576814 ]

AB made changes - 01/Sep/2021 11:36 PM

Summary

Original: Project key enumeration via the /rest/api/latest/projectvalidate/key endpoint - CVE-in-progress

New: Project key enumeration via the /rest/api/latest/projectvalidate/key endpoint - CVE is in progress being registered

Collapse comment: AB added a comment - 01/Sep/2021 11:24 PM, Edited by Security Metrics Bot - 01/Sep/2021 11:53 PM

AB added a comment - 01/Sep/2021 11:24 PM - edited

This is an independent assessment and you should evaluate its applicability to your own IT environment.

CVSS v3 score: 4.3 => Medium severity

Exploitability Metrics

Attack Vector	Network
Attack Complexity	Low
Privileges Required	Low
User Interaction	None

Scope Metric

Scope	Unchanged

Impact Metrics

Confidentiality	Low
Integrity	None
Availability	None

https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Expand comment: AB added a comment - 01/Sep/2021 11:24 PM, Edited by Security Metrics Bot - 01/Sep/2021 11:53 PM

AB added a comment - 01/Sep/2021 11:24 PM - edited This is an independent assessment and you should evaluate its applicability to your own IT environment. CVSS v3 score: 4.3 => Medium severity Exploitability Metrics Attack Vector Network Attack Complexity Low Privileges Required Low User Interaction None Scope Metric Scope Unchanged Impact Metrics Confidentiality Low Integrity None Availability None https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Load more older events