[JRASERVER-73071] Unauthorized user can add administrator groups to filter subscriptions - CVE-2021-43946 - Create and track feature requests for Atlassian products.

XML

Word

Printable

Details

Type: Public Security Vulnerability
Status: Published (View Workflow)
Priority: Low
Resolution: Fixed
Affects Version/s: 8.19.0, 8.20.0
Fix Version/s: 8.21.0, 8.13.21, 8.20.9
Component/s: None
Labels:

CVSS Score:
5
CVSS Severity:
Medium
CVE ID:
CVE-2021-43946

Description

Affected versions of Atlassian Jira Server and Data Center allow authenticated remote attackers to add administrator groups to filter subscriptions via a Broken Access Control vulnerability in the /secure/EditSubscription.jspa endpoint.

The affected versions are before version 8.21.0.

Affected versions:

version < 8.21.0

Fixed versions:

8.21.0

Attachments

Issue Links

mentioned in: Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...

relates to: JSEC-1038 Loading...

(3 mentioned in, 1 relates to)

Activity

People

Assignee:: Unassigned

Reporter:: Security Metrics Bot

Votes:: 0 Vote for this issue

Watchers:: 76 Start watching this issue

Dates

Created:: 30/Nov/2021 6:48 PM

Updated:: 5 days ago 6:19 PM

Resolved:: 05/Jan/2022 3:40 AM