Affected versions of Atlassian Jira Server and Data Centre allow remote attackers to modify the hierarchy structure of the Portfolio Plugin via a Broken Access Control vulnerability in the hierarchy configuration component.

The affected versions are before version 8.20.4, and from version 8.21.0 before 8.22.0.

Affected versions:

• version < 8.20.4
• 8.21.0 ≤ version < 8.22.0

Fixed versions:

• 8.20.4
• 8.22.0