[JSDSERVER-10981] Names of private objects are leaked to unauthorized users via the "Move objects" feature - CVE-2021-43948 - Create and track feature requests for Atlassian products.

Type: Public Security Vulnerability
Resolution: Fixed
Priority: Low
Fix Version/s: 4.21.0, 4.20.2
Affects Version/s: 4.20.0
Component/s: None
Labels:

CVSS Score:
3.1
CVSS Severity:
Medium
CVE ID:
CVE-2021-43948

Affected versions of Atlassian Jira Service Management Server and Data Center allow authenticated remote attackers to view the names of private objects via an Improper Authorization vulnerability in the "Move objects" feature.

The affected versions are before version 4.21.0.

Affected versions:

version < 4.21.0

Fixed versions:

4.21.0

mentioned in: Page Failed to load

Form Name

pmarx added a comment - 21/Feb/2022 11:49 AM

pmarx added a comment - 21/Feb/2022 11:49 AM +1

klaus zerwes added a comment - 17/Feb/2022 10:36 PM

at least some information regarding the LTS releases would be appreciated ...

klaus zerwes added a comment - 17/Feb/2022 10:36 PM at least some information regarding the LTS releases would be appreciated ...

AB added a comment - 15/Feb/2022 3:36 AM

This is an independent assessment and you should evaluate its applicability to your own IT environment.

CVSS v3 score: 3.1 => Low severity

Exploitability Metrics

Attack Vector	Network
Attack Complexity	High
Privileges Required	Low
User Interaction	None

Scope Metric

Scope	Unchanged

Impact Metrics

Confidentiality	Low
Integrity	None
Availability	None

https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N

AB added a comment - 15/Feb/2022 3:36 AM This is an independent assessment and you should evaluate its applicability to your own IT environment. CVSS v3 score: 3.1 => Low severity Exploitability Metrics Attack Vector Network Attack Complexity High Privileges Required Low User Interaction None Scope Metric Scope Unchanged Impact Metrics Confidentiality Low Integrity None Availability None https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N

Assignee:: Unassigned

Reporter:: Security Metrics Bot

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Created:: 22/Dec/2021 3:12 AM

Updated:: 25/Feb/2022 12:13 AM

Resolved:: 15/Feb/2022 3:37 AM

Details

Description

Attachments

Issue Links

Forms

Activity

[JSDSERVER-10981] Names of private objects are leaked to unauthorized users via the "Move objects" feature - CVE-2021-43948

Collapse comment: pmarx added a comment - 21/Feb/2022 11:49 AM

Expand comment: pmarx added a comment - 21/Feb/2022 11:49 AM

Collapse comment: klaus zerwes added a comment - 17/Feb/2022 10:36 PM

Expand comment: klaus zerwes added a comment - 17/Feb/2022 10:36 PM

Collapse comment: AB added a comment - 15/Feb/2022 3:36 AM

Expand comment: AB added a comment - 15/Feb/2022 3:36 AM

People

Dates

Backbone Issue Sync