Uploaded image for project: 'Jira Data Center'
  1. Jira Data Center
  2. JRASERVER-72898

Privilege escalation leads unauthorized user to edit email batch configurations - CVE-2021-41313

    • 4.3
    • Medium
    • CVE-2021-41313

      Affected versions of Atlassian Jira Server and Data Center allow authenticated but non-admin remote attackers to edit email batch configurations via an Improper Authorization vulnerability in the /secure/admin/ConfigureBatching!default.jspa endpoint.

      The affected versions are before version 8.20.7.

      Affected versions:

      • version < 8.20.7

      Fixed versions:

      • 8.20.7
      • 8.21.0

            [JRASERVER-72898] Privilege escalation leads unauthorized user to edit email batch configurations - CVE-2021-41313

            AB added a comment -

            The description of this issue incorrectly stated that the fix for 8.20.x was published in version 8.20.1. This was incorrect and should be version 8.20.7. I've now updated the description to the correct version.

            The Mitre CVE record will be updated shortly.

            AB added a comment - The description of this issue incorrectly stated that the fix for 8.20.x was published in version 8.20.1. This was incorrect and should be version 8.20.7. I've now updated the description to the correct version. The Mitre CVE record will be updated shortly.

            How exactly can you claim that it's fixed in version 8.20.1 when it was released in 8.20.7? This is inconsistent information...

            Team Infra & ITSec added a comment - How exactly can you claim that it's fixed in version 8.20.1 when it was released in 8.20.7? This is inconsistent information...

            AB added a comment - - edited

            A fix for this issue has been published for 8.20.x in version 8.20.1.

            The Mitre CVE record will be updated shortly.

            AB added a comment - - edited A fix for this issue has been published for 8.20.x in version 8.20.1. The Mitre CVE record will be updated shortly.

            Concur with others: Please fix in the LTS 8.20.x. 

            Brad Taplin added a comment - Concur with others: Please fix in the LTS 8.20.x. 

            Harald Maierhofer added a comment - - edited

            Dear support team, 
            as already mentioned by a number of users above I would like to renew the question and highlight the need of a fix in the LTS branch 8.20.x.
            You have released 8.20.4 some day ago, unfortunalety I cannot see any releated fix in the release note.
            Sum up, is it planned?
            When is the planned release date?
            Thanks.

            Harald Maierhofer added a comment - - edited Dear support team,  as already mentioned by a number of users above I would like to renew the question and highlight the need of a fix in the LTS branch 8.20.x. You have released 8.20.4 some day ago, unfortunalety I cannot see any releated fix in the release note. Sum up, is it planned? When is the planned release date? Thanks.

            Why should we use a LTS version, if there is no update for vulnerabilities? The vulnerability has been known for at least 2 months. 
            When is an update for 8.20.x available? It shouldn't be a problem to backport it.

            Ingo Fernges added a comment - Why should we use a LTS version, if there is no update for vulnerabilities? The vulnerability has been known for at least 2 months.  When is an update for 8.20.x available? It shouldn't be a problem to backport it.

            In our company we need the fix in the LTS version. Please fix in the LTS 8.20.x. 

            Frank Dicks added a comment - In our company we need the fix in the LTS version. Please fix in the LTS 8.20.x. 

            Kevin added a comment -

            Will this be backported to 8.20.x LTS?

            Kevin added a comment - Will this be backported to 8.20.x LTS?

            Russell Berry added a comment - - edited

            Flagged in Qualys as QID 730261

            Russell Berry added a comment - - edited Flagged in Qualys as QID 730261

            Matt Wilks added a comment -

            Please add an LTS fix.

            Matt Wilks added a comment - Please add an LTS fix.

              Unassigned Unassigned
              security-metrics-bot Security Metrics Bot
              Votes:
              0 Vote for this issue
              Watchers:
              25 Start watching this issue

                Created:
                Updated:
                Resolved: