Uploaded image for project: 'Jira Data Center'
  1. Jira Data Center
  2. JRASERVER-73138

Default field configuration can be restored via CSRF - CVE-2021-43952

XMLWordPrintable

    • 3
    • Low
    • CVE-2021-43952

      Affected versions of Atlassian Jira Server and Data Center allow authenticated remote attackers to restore the default configuration of fields via a Cross-Site Request Forgery (CSRF) vulnerability in the /secure/admin/RestoreDefaults.jspa endpoint.

      This bug is currently fixed on Jira 8.21.0.
      Non LTS versions < 8.21.0 are still affected.

      Previous LTS versions affected by this bug

      • Jira < 8.20.6 and Jira < 8.13.18

      The bug fix was backported to the following previous LTS version patches:

      • Fixed on Jira 8.20.6 and 8.13.18

            [JRASERVER-73138] Default field configuration can be restored via CSRF - CVE-2021-43952

            Keith Schug added a comment - - edited

            Is this still an issue for LTR 8.20.10?

            Keith Schug added a comment - - edited Is this still an issue for LTR 8.20.10?

            Darrin Broin added a comment -

            Please clarify the inconsistency between the header Fix Versions (..., 8.20.6) and the "Fixed Versions" in the description (8.21.0).

            We are on the LTS 8.20.x releases (v8.20.7), so I assume we are "good" for this vulnerability. Please advise.

            Darrin Broin added a comment - Please clarify the inconsistency between the header Fix Versions (..., 8.20.6) and the "Fixed Versions" in the description (8.21.0). We are on the LTS 8.20.x releases (v8.20.7), so I assume we are "good" for this vulnerability. Please advise.

            Niranjan added a comment -

            Is there a workaround for 8.20.5?

            Niranjan added a comment - Is there a workaround for 8.20.5?

            Bastian Stehmann added a comment -

            8.20.6 is included in the Fix Versions, so it should be fixed there.

            Bastian Stehmann added a comment - 8.20.6 is included in the Fix Versions, so it should be fixed there.

            Kevin Lange added a comment -

            @Atlassian Support

            Can we please get a response for the LTS 8.20 versions?

            Kevin Lange added a comment - @Atlassian Support Can we please get a response for the LTS 8.20 versions?

            Christoph Monig added a comment -

            @Sinan Yildirim They fixed it in 8.13.18 LTS, just install version 8.13.18 and you're good

            Christoph Monig added a comment - @Sinan Yildirim They fixed it in 8.13.18 LTS, just install version 8.13.18 and you're good

            Sinan Yildirim added a comment -

            Is there also a fix for 8.13.16?

            Sinan Yildirim added a comment - Is there also a fix for 8.13.16?

            klaus zerwes added a comment -

            at least some information regarding the LTS releases would be appreciated ...

            klaus zerwes added a comment - at least some information regarding the LTS releases would be appreciated ...

            Christoph Monig added a comment -

            Hello,

            would it be possible to mitigate this issue by blocking the endpoint:

             /secure/admin/RestoreDefaults.jspa

            Or could this cause other issues?

            Thanks.

            Christoph Monig added a comment - Hello, would it be possible to mitigate this issue by blocking the endpoint:   /secure/admin/RestoreDefaults.jspa Or could this cause other issues? Thanks.

            Jan Lichter added a comment -

            ... and for 8.13.x LTS?

            Jan Lichter added a comment - ... and for 8.13.x LTS?

              Unassigned Unassigned
              security-metrics-bot Security Metrics Bot
              Votes:
              0 Vote for this issue
              Watchers:
              16 Start watching this issue

                Created:
                Updated:
                Resolved: