• Type: Public Security Vulnerability
• Resolution: Fixed
• Priority: Low
• Fix Version/s: 8.19.1
• Affects Version/s: 8.5.18, 8.13.10, 8.19.0
• Component/s: None
• Labels:

  • advisory
  • advisory-to-release
  • dont-import
  • security

[JRASERVER-72802] Access-revoked user can add new users and groups to a Jira project - CVE-2021-41311

Collapse comment: Danny Prill added a comment - 27/Feb/2022 12:13 PM, Edited by Danny Prill - 27/Feb/2022 12:14 PM

Danny Prill added a comment - 27/Feb/2022 12:13 PM - edited

f

Expand comment: Danny Prill added a comment - 27/Feb/2022 12:13 PM, Edited by Danny Prill - 27/Feb/2022 12:14 PM

Danny Prill added a comment - 27/Feb/2022 12:13 PM - edited f

Collapse comment: Tomasz Baszczynski added a comment - 10/Jan/2022 2:52 PM

Tomasz Baszczynski added a comment - 10/Jan/2022 2:52 PM

Dear Atlassian-Team, will be the LTS Version of Jira patched? Or is Jira 8.13.5 not affected?

Expand comment: Tomasz Baszczynski added a comment - 10/Jan/2022 2:52 PM

Tomasz Baszczynski added a comment - 10/Jan/2022 2:52 PM Dear Atlassian-Team, will be the LTS Version of Jira patched? Or is Jira 8.13.5 not affected?

Collapse comment: Performation Healthcare Intelligence BV added a comment - 29/Dec/2021 2:03 PM

Performation Healthcare Intelligence BV added a comment - 29/Dec/2021 2:03 PM

Will the fix be ported to the 8.13 LTS? Several 8.13 patch versions were released since the fix, why wasn't the fix backported? Affected versions list 8.13.10 while 8.13.15 is the last released patch version of the 8.13 line, this is confusing.

We would like to evault the applicability to our own IT environment, but how can the vulnerability be reproduced? It is unclear what "administrator account that has had its access revoked" means exactly and what is "Broken Authentication vulnerability" and how it can be used to modify project's user and roles?

 

 

Expand comment: Performation Healthcare Intelligence BV added a comment - 29/Dec/2021 2:03 PM

Performation Healthcare Intelligence BV added a comment - 29/Dec/2021 2:03 PM Will the fix be ported to the 8.13 LTS? Several 8.13 patch versions were released since the fix, why wasn't the fix backported? Affected versions list 8.13.10 while 8.13.15 is the last released patch version of the 8.13 line, this is confusing. We would like to evault the applicability to our own IT environment, but how can the vulnerability be reproduced? It is unclear what "administrator account that has had its access revoked" means exactly and what is "Broken Authentication vulnerability" and how it can be used to modify project's user and roles?    

Collapse comment: AB added a comment - 16/Sep/2021 12:44 AM, Edited by Security Metrics Bot - 16/Sep/2021 3:34 AM

AB added a comment - 16/Sep/2021 12:44 AM - edited

This is an independent assessment and you should evaluate its applicability to your own IT environment.

CVSS v3 score: 7.5 => High severity

Exploitability Metrics

Attack Vector	Network
Attack Complexity	Low
Privileges Required	None
User Interaction	None

Scope Metric

Scope	Unchanged

Impact Metrics

Confidentiality	High
Integrity	None
Availability	None

https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Expand comment: AB added a comment - 16/Sep/2021 12:44 AM, Edited by Security Metrics Bot - 16/Sep/2021 3:34 AM

AB added a comment - 16/Sep/2021 12:44 AM - edited This is an independent assessment and you should evaluate its applicability to your own IT environment. CVSS v3 score: 7.5 => High severity Exploitability Metrics Attack Vector Network Attack Complexity Low Privileges Required None User Interaction None Scope Metric Scope Unchanged Impact Metrics Confidentiality High Integrity None Availability None https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N