Uploaded image for project: 'Jira Data Center'
  1. Jira Data Center
  2. JRASERVER-72738

Denial of Service when reading particularly-crafted GIF files - CVE-2021-39116

XMLWordPrintable

    • 4.3
    • Medium
    • CVE-2021-39116

      Affected versions of Atlassian Jira Server and Data Center allow remote attackers to impact the application's availability via a Denial of Service (DoS) vulnerability in the GIF Image Reader component.

      The affected versions are before version 8.13.14, and from version 8.14.0 before 8.19.0.

      Affected versions:

      • version < 8.13.14
      • 8.14.0 ≤ version < 8.19.0

      Fixed versions:

      • 8.13.14
      • 8.19.0

            [JRASERVER-72738] Denial of Service when reading particularly-crafted GIF files - CVE-2021-39116

            AB added a comment -

            Version 8.13.14 has been published, and contains a fix for the 8.13.x minor series.

            As a result, the affected versions range has changed. Please check the updated description for details.

            The change will be propagated through to Mitre's CVE listings soon.

            AB added a comment - Version 8.13.14 has been published, and contains a fix for the 8.13.x minor series. As a result, the affected versions range has changed. Please check the updated description for details. The change will be propagated through to Mitre's CVE listings soon.

            Tomasz Baszczynski added a comment -

            Can someone from Atlassian please confirm that 8.13.10 / 8.13.11 are not affected?

            Tomasz Baszczynski added a comment - Can someone from Atlassian please confirm that 8.13.10 / 8.13.11 are not affected?

            Emilio Palmiero added a comment -

            Can someone from Atlassian please confirm that 8.13.10 is not affected?

            Emilio Palmiero added a comment - Can someone from Atlassian please confirm that 8.13.10 is not affected?

            Tobias Peter added a comment -

            I had the same question: what about the latest 8.13 LTS release?

            After a quick research with the given CVE I found on vulners.com that 8.13.10 LTS is not affected anymore.

            Tobias Peter added a comment - I had the same question: what about the latest 8.13 LTS release? After a quick research with the given CVE I found on vulners.com that 8.13.10 LTS is not affected anymore.

            Emilio Palmiero added a comment -

            Will this be fixed in the 8.13 LTS release?

            Emilio Palmiero added a comment - Will this be fixed in the 8.13 LTS release?

            AB added a comment - - edited

            This is an independent assessment and you should evaluate its applicability to your own IT environment.

            CVSS v3 score: 4.3 => Medium severity

            Exploitability Metrics

            Attack Vector Network
            Attack Complexity Low
            Privileges Required Low
            User Interaction None

            Scope Metric

            Scope Unchanged

            Impact Metrics

            Confidentiality None
            Integrity None
            Availability Low

            https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

            AB added a comment - - edited This is an independent assessment and you should evaluate its applicability to your own IT environment. CVSS v3 score: 4.3 => Medium severity Exploitability Metrics Attack Vector Network Attack Complexity Low Privileges Required Low User Interaction None Scope Metric Scope Unchanged Impact Metrics Confidentiality None Integrity None Availability Low https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

              Unassigned Unassigned
              security-metrics-bot Security Metrics Bot
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Created:
                Updated:
                Resolved: