Uploaded image for project: 'Jira Service Management Data Center'
  1. Jira Service Management Data Center
  2. JSDSERVER-10981

Names of private objects are leaked to unauthorized users via the "Move objects" feature - CVE-2021-43948

    • 3.1
    • Medium
    • CVE-2021-43948

      Affected versions of Atlassian Jira Service Management Server and Data Center allow authenticated remote attackers to view the names of private objects via an Improper Authorization vulnerability in the "Move objects" feature.

      The affected versions are before version 4.21.0.

      Affected versions:

      • version < 4.21.0

      Fixed versions:

      • 4.21.0

          Form Name

            [JSDSERVER-10981] Names of private objects are leaked to unauthorized users via the "Move objects" feature - CVE-2021-43948

            Sam Xu made changes -
            Fix Version/s New: 4.20.2 [ 98290 ]
            Nobuyuki Mukai made changes -
            Remote Link New: This issue links to "Page (Confluence)" [ 622657 ]

            pmarx added a comment -

            +1

            pmarx added a comment - +1
            Security Metrics Bot made changes -
            CVE ID New: CVE-2021-43948

            at least some information regarding the LTS releases would be appreciated ...

            klaus zerwes added a comment - at least some information regarding the LTS releases would be appreciated ...
            AB made changes -
            Resolution New: Fixed [ 1 ]
            Security Original: Atlassian Staff [ 10750 ]
            Status Original: Draft [ 12872 ] New: Published [ 12873 ]

            AB added a comment -

            This is an independent assessment and you should evaluate its applicability to your own IT environment.

            CVSS v3 score: 3.1 => Low severity

            Exploitability Metrics

            Attack Vector Network
            Attack Complexity High
            Privileges Required Low
            User Interaction None

            Scope Metric

            Scope Unchanged

            Impact Metrics

            Confidentiality Low
            Integrity None
            Availability None

            https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N

            AB added a comment - This is an independent assessment and you should evaluate its applicability to your own IT environment. CVSS v3 score: 3.1 => Low severity Exploitability Metrics Attack Vector Network Attack Complexity High Privileges Required Low User Interaction None Scope Metric Scope Unchanged Impact Metrics Confidentiality Low Integrity None Availability None https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
            AB made changes -
            Summary Original: Names of private objects are leaked to unauthorized users via the "Move objects" feature New: Names of private objects are leaked to unauthorized users via the "Move objects" feature - CVE-2021-43948
            AB made changes -
            Description Original: Affected versions of Atlassian Jira Service Management Server and Data Center allow authenticated remote attackers to view the names of private objects via an Insecure Direct Object References (IDOR) vulnerability in the "Move objects" feature.

            The affected versions are before version 4.21.0.

            *Affected versions:*

             * version < 4.21.0

            *Fixed versions:*

             * 4.21.0
            New: Affected versions of Atlassian Jira Service Management Server and Data Center allow authenticated remote attackers to view the names of private objects via an Improper Authorization vulnerability in the "Move objects" feature.

            The affected versions are before version 4.21.0.

            *Affected versions:*

             * version < 4.21.0

            *Fixed versions:*

             * 4.21.0
            AB made changes -
            Description Original: Affected versions of Atlassian Jira Service Management Server and Data Center allow {authenticated or anonymous?} remote attackers to (insert the impact of the IDOR, e.g. "modify Blah setting", or "view Blah information") via an Insecure Direct Object References (IDOR) vulnerability in {component}.

            ((Use the `; versions` script here to list the fixed and affected versions))
            New: Affected versions of Atlassian Jira Service Management Server and Data Center allow authenticated remote attackers to view the names of private objects via an Insecure Direct Object References (IDOR) vulnerability in the "Move objects" feature.

            The affected versions are before version 4.21.0.

            *Affected versions:*

             * version < 4.21.0

            *Fixed versions:*

             * 4.21.0

              Unassigned Unassigned
              security-metrics-bot Security Metrics Bot
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated:
                Resolved: