Uploaded image for project: 'Jira Data Center'
  1. Jira Data Center
  2. JRASERVER-72737

Issue watchers continue receiving updates even after their Jira account is revoked - CVE-2021-39119

XMLWordPrintable

    • 3.1
    • Low
    • CVE-2021-39119

      Summary

      Affected versions of Atlassian Jira Server and Data Center allow users who have watched an issue to continue receiving updates on the issue even after their Jira account is revoked, via a Broken Access Control vulnerability in the issue notification feature.

      The affected versions are before version 8.19.0.

      Affected versions:

      • version < 8.19.0

      Fixed versions:

      • 8.19.0

      Note on fix

      Due to this change, Jira notifications (batched and non-batched) not sent anymore to users who don't have application access after Jira upgrade to 8.19.0, see related KB and suggestion JRASERVER-73165.

       

      Atlassian Update – 11 Feb 2022

      Since Jira 8.20.6 it will be possible to revert new behaviour introduced by JRASERVER-72737 with Dark Feature Flag:

      com.atlassian.jira.send.email.notifications.to.user.without.application.access.enabled 

      At the same time 8.13.19+ will have option to enable new fix with feature flag:

      com.atlassian.jira.send.email.notifications.to.user.without.application.access.enabled   

      Cheers,
      Jira DC Bugfix Team

              Unassigned Unassigned
              security-metrics-bot Security Metrics Bot
              Votes:
              0 Vote for this issue
              Watchers:
              16 Start watching this issue

                Created:
                Updated:
                Resolved: