• Type: Public Security Vulnerability
• Resolution: Fixed
• Priority: Low
• Fix Version/s: 8.19.1
• Affects Version/s: 8.5.18, 8.13.10, 8.19.0
• Component/s: None
• Labels:

  • advisory
  • advisory-to-release
  • dont-import
  • security

[JRASERVER-72803] Access-revoked user can view audit logs of Jira Projects - CVE-2021-41309

Nobuyuki Mukai made changes - 21/Dec/2021 2:08 AM

Remote Link

New: This issue links to "Page (Confluence)" [ 605088 ]

Nobuyuki Mukai made changes - 14/Dec/2021 8:24 AM

Remote Link

New: This issue links to "Page (Confluence)" [ 604401 ]

Security Metrics Bot made changes - 12/Dec/2021 8:28 PM

CVE ID

New: CVE-2021-41309

AB made changes - 08/Dec/2021 3:31 AM

Resolution		New: Fixed [ 1 ]
Security	Original: Atlassian Staff [ 10750 ]
Status	Original: Draft [ 12872 ]	New: Published [ 12873 ]

AB made changes - 08/Dec/2021 3:31 AM

Summary

Original: Access-revoked user can view audit logs of Jira Projects - CVE registration for this issue is already in progress

New: Access-revoked user can view audit logs of Jira Projects - CVE-2021-41309

AB made changes - 01/Nov/2021 3:58 AM

Description

Original: Affected versions of Atlassian Jira Server and Data Center allow an administrator user who has had their access revoked to export audit logs of another user's Jira Service Management project via a Broken Authentication vulnerability in the /plugins/servlet/audit/resource endpoint. The affected versions of Jira Server and Data Center are before version 8.19.1. **Affected versions:**  * version < 8.19.1 **Fixed versions:**  * 8.19.1

New: Affected versions of Atlassian Jira Server and Data Center allow a user who has had their Jira Service Management access revoked to export audit logs of another user's Jira Service Management project via a Broken Authentication vulnerability in the /plugins/servlet/audit/resource endpoint. The affected versions of Jira Server and Data Center are before version 8.19.1. **Affected versions:**  * version < 8.19.1 **Fixed versions:**  * 8.19.1

AB made changes - 01/Nov/2021 3:57 AM

Description

Original: Affected versions of Atlassian Jira Server and Data Center allow an access-revoked user to export audit logs of another user's Jira Service Management project via an Insecure Direct Object References (IDOR) vulnerability in the /plugins/servlet/audit/resource endpoint. The affected versions of Jira Server and Data Center are before version 8.19.1. **Affected versions:**  * version < 8.19.1 **Fixed versions:**  * 8.19.1

New: Affected versions of Atlassian Jira Server and Data Center allow an administrator user who has had their access revoked to export audit logs of another user's Jira Service Management project via a Broken Authentication vulnerability in the /plugins/servlet/audit/resource endpoint. The affected versions of Jira Server and Data Center are before version 8.19.1. **Affected versions:**  * version < 8.19.1 **Fixed versions:**  * 8.19.1

AB made changes - 26/Oct/2021 9:07 PM

Summary

Original: Access-revoked user can view audit logs of Jira Projects

New: Access-revoked user can view audit logs of Jira Projects - CVE registration for this issue is already in progress

Brian Adeloye (Inactive) made changes - 22/Oct/2021 7:05 PM

Remote Link

New: This issue links to "Page (Confluence)" [ 593335 ]

Filip Nowak made changes - 20/Sep/2021 2:10 PM

Remote Link

New: This issue links to "Page (Confluence)" [ 580300 ]

Load more older history items