Uploaded image for project: 'Jira Data Center'
  1. Jira Data Center
  2. JRASERVER-73170

CSRF allows toggling Thread Contention and CPU Monitoring - CVE-2021-43953

XMLWordPrintable

    • 3
    • Low
    • CVE-2021-43953

      Affected versions of Atlassian Jira Server and Data Center allow unauthenticated remote attackers to toggle the Thread Contention and CPU monitoring settings via a Cross-Site Request Forgery (CSRF) vulnerability in the /secure/admin/ViewInstrumentation.jspa endpoint.

      The affected versions are before version 8.13.16, and from version 8.14.0 before 8.20.5.

      Affected versions:

      • version < 8.13.16
      • 8.14.0 <= version < 8.20.5

      Fixed versions:

      • 8.13.16
      • 8.20.5
      • 8.21.0

            [JRASERVER-73170] CSRF allows toggling Thread Contention and CPU Monitoring - CVE-2021-43953

            Edson Araujo made changes -
            Remote Link Original: This issue links to "JSEC-690 (Bulldog)" [ 622607 ] New: This issue links to "JSEC-690 (JIRA Server (Bulldog))" [ 622607 ]
            Mandeep Jadon made changes -
            Remote Link New: This issue links to "Page (Confluence)" [ 733449 ]
            David Black made changes -
            Description Original: Affected versions of Atlassian Jira Server and Data Center allow unauthenticated remote attackers to toggle the Thread Contention and CPU monitoring settings via a Cross-Site Request Forgery (CSRF) vulnerability in the /secure/admin/ViewInstrumentation.jspa endpoint.

            The affected versions are before version 8.13.16, from version 8.14.0 before 8.20.5.

            *Affected versions:*
             * version < 8.13.16
             * 8.14.0 <= version < 8.20.5

            *Fixed versions:*
             * 8.13.16
             * 8.20.5
             * 8.21.0             		New: Affected versions of Atlassian Jira Server and Data Center allow unauthenticated remote attackers to toggle the Thread Contention and CPU monitoring settings via a Cross-Site Request Forgery (CSRF) vulnerability in the /secure/admin/ViewInstrumentation.jspa endpoint.

            The affected versions are before version 8.13.16, and from version 8.14.0 before 8.20.5.

            *Affected versions:*
             * version < 8.13.16
             * 8.14.0 <= version < 8.20.5

            *Fixed versions:*
             * 8.13.16
             * 8.20.5
             * 8.21.0
            David Black made changes -
            Labels Original: advisory advisory-to-release dont-import security New: advisory advisory-released dont-import security
            David Black made changes -
            Description Original: Affected versions of Atlassian Jira Server and Data Center allow unauthenticated remote attackers to toggle the Thread Contention and CPU monitoring settings via a Cross-Site Request Forgery (CSRF) vulnerability in the /secure/admin/ViewInstrumentation.jspa endpoint.

            The affected versions are before version 8.21.0.

            *Affected versions:*
             * version < 8.21.0

            *Fixed versions:*
             * 8.21.0             		New: Affected versions of Atlassian Jira Server and Data Center allow unauthenticated remote attackers to toggle the Thread Contention and CPU monitoring settings via a Cross-Site Request Forgery (CSRF) vulnerability in the /secure/admin/ViewInstrumentation.jspa endpoint.

            The affected versions are before version 8.13.16, from version 8.14.0 before 8.20.5.

            *Affected versions:*
             * version < 8.13.16
             * 8.14.0 <= version < 8.20.5

            *Fixed versions:*
             * 8.13.16
             * 8.20.5
             * 8.21.0

            Kevin Lange added a comment -

            The published CVE needs to be adjusted as well.

            Kevin Lange added a comment - The published CVE needs to be adjusted as well.

            Beate Hübner added a comment -

            @Christoph Monig: In fact, I assume it is a cumulative fix, but I want to make sure.

            At least the Fix Version/s should be updated.

            Beate Hübner added a comment - @Christoph Monig: In fact, I assume it is a cumulative fix, but I want to make sure. At least the Fix Version/s should be updated.

            Christoph Monig added a comment -

            @Beate Hübner I would assume it does, since they had fixed it in 8.20.5. They would not reintroduce the problem in the subsequent version. But they could be clearer and explicitly list "<8.20.5" under "Affected versions".

            Christoph Monig added a comment - @Beate Hübner I would assume it does, since they had fixed it in 8.20.5. They would not reintroduce the problem in the subsequent version. But they could be clearer and explicitly list "<8.20.5" under "Affected versions".

            Beate Hübner added a comment -

            Does also Version 8.20.6 fix this issue?

            Beate Hübner added a comment - Does also Version 8.20.6 fix this issue?

            José Pablo Hernández added a comment -

            I opened a support ticket to get info about when to expect the fix in LTS releases and turns out the fix was already released in 8.20.5 and 8.13.16, but they failed to mentioned it in this ticket. I see the "Fix Versions" info in this ticket is now updated accordingly. I was also told there are no workarounds at the moment, so upgrade is the way to go.

            José Pablo Hernández added a comment - I opened a support ticket to get info about when to expect the fix in LTS releases and turns out the fix was already released in 8.20.5 and 8.13.16, but they failed to mentioned it in this ticket. I see the "Fix Versions" info in this ticket is now updated accordingly. I was also told there are no workarounds at the moment, so upgrade is the way to go.

              Unassigned Unassigned
              security-metrics-bot Security Metrics Bot
              Votes:
              0 Vote for this issue
              Watchers:
              14 Start watching this issue

                Created:
                Updated:
                Resolved: