[JRASERVER-73068] Reflected XSS via /rest/collectors/1.0/template/custom - CVE-2021-43942 - Create and track feature requests for Atlassian products.

Type: Public Security Vulnerability
Resolution: Fixed
Priority: Low (View bug fix roadmap)
Fix Version/s: 8.21.0, 8.13.15, 8.20.3
Affects Version/s: 8.13.13, 8.20.1
Component/s: None
Labels:

CVSS Score:
6.1
CVSS Severity:
Medium
CVE ID:
CVE-2021-43942

Affected versions of Atlassian Jira Server and Data Center allow remote attackers to inject arbitrary HTML or JavaScript via a Reflected Cross-Site Scripting (XSS) vulnerability in the /rest/collectors/1.0/template/custom endpoint. To exploit this issue, the attacker must trick a user into visiting a malicious website.

The affected versions are before version 8.13.15, and from version 8.14.0 before 8.20.3.

Affected versions:

version < 8.13.15
8.14.0 ≤ version < 8.20.3

Fixed versions:

8.13.15
8.20.3
8.21.0

causes

JRASERVER-73212 Submitting an issue collector on a non-same origin site results in HTTP 404

Closed

mentioned in: Page Failed to load

Danny Prill added a comment - 27/Feb/2022 12:16 PM - edited

Danny Prill added a comment - 27/Feb/2022 12:16 PM - edited f

AB added a comment - 30/Dec/2021 4:17 AM - edited

This is an independent assessment and you should evaluate its applicability to your own IT environment.

CVSS v3 score: 6.1 => Medium severity

Exploitability Metrics

Attack Vector	Network
Attack Complexity	Low
Privileges Required	None
User Interaction	Required

Scope Metric

Scope	Changed

Impact Metrics

Confidentiality	Low
Integrity	Low
Availability	None

https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

AB added a comment - 30/Dec/2021 4:17 AM - edited This is an independent assessment and you should evaluate its applicability to your own IT environment. CVSS v3 score: 6.1 => Medium severity Exploitability Metrics Attack Vector Network Attack Complexity Low Privileges Required None User Interaction Required Scope Metric Scope Changed Impact Metrics Confidentiality Low Integrity Low Availability None https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Assignee:: Unassigned

Reporter:: Security Metrics Bot

Votes:: 0 Vote for this issue

Watchers:: 6 Start watching this issue

Created:: 30/Nov/2021 6:48 PM

Updated:: 31/Mar/2022 2:04 PM

Resolved:: 04/Jan/2022 2:36 AM

Jira Data Center

Details

Description

Attachments

Issue Links

Forms

Activity

[JRASERVER-73068] Reflected XSS via /rest/collectors/1.0/template/custom - CVE-2021-43942

Collapse comment: Danny Prill added a comment - 27/Feb/2022 12:16 PM, Edited by Danny Prill - 27/Feb/2022 12:16 PM

Expand comment: Danny Prill added a comment - 27/Feb/2022 12:16 PM, Edited by Danny Prill - 27/Feb/2022 12:16 PM

Collapse comment: AB added a comment - 30/Dec/2021 4:17 AM, Edited by Security Metrics Bot - 30/Dec/2021 4:19 AM

Expand comment: AB added a comment - 30/Dec/2021 4:17 AM, Edited by Security Metrics Bot - 30/Dec/2021 4:19 AM

People

Dates