-
Public Security Vulnerability
-
Resolution: Fixed
-
Low (View bug fix roadmap)
-
8.20.0
-
None
-
3
-
Low
-
CVE-2021-43953
Affected versions of Atlassian Jira Server and Data Center allow unauthenticated remote attackers to toggle the Thread Contention and CPU monitoring settings via a Cross-Site Request Forgery (CSRF) vulnerability in the /secure/admin/ViewInstrumentation.jspa endpoint.
The affected versions are before version 8.13.16, and from version 8.14.0 before 8.20.5.
Affected versions:
- version < 8.13.16
- 8.14.0 <= version < 8.20.5
Fixed versions:
- 8.13.16
- 8.20.5
- 8.21.0
[JRASERVER-73170] CSRF allows toggling Thread Contention and CPU Monitoring - CVE-2021-43953
@Christoph Monig: In fact, I assume it is a cumulative fix, but I want to make sure.
At least the Fix Version/s should be updated.
@Beate Hübner I would assume it does, since they had fixed it in 8.20.5. They would not reintroduce the problem in the subsequent version. But they could be clearer and explicitly list "<8.20.5" under "Affected versions".
I opened a support ticket to get info about when to expect the fix in LTS releases and turns out the fix was already released in 8.20.5 and 8.13.16, but they failed to mentioned it in this ticket. I see the "Fix Versions" info in this ticket is now updated accordingly. I was also told there are no workarounds at the moment, so upgrade is the way to go.
at least some information regarding the LTS releases would be appreciated ...
Can this be mitigated by blocking the /secure/admin/ViewInstrumentation.jspa endpoint in either an application firewall or reverse proxy?
The published CVE needs to be adjusted as well.