• Type: Public Security Vulnerability
• Resolution: Fixed
• Priority: Low
• Fix Version/s: 4.21.0, 4.20.2
• Affects Version/s: 4.20.0
• Component/s: None
• Labels:

  • advisory
  • advisory-to-release
  • dont-import
  • security

[JSDSERVER-10981] Names of private objects are leaked to unauthorized users via the "Move objects" feature - CVE-2021-43948

Sam Xu made changes - 25/Feb/2022 12:13 AM

Fix Version/s

New: 4.20.2 [ 98290 ]

Nobuyuki Mukai made changes - 22/Feb/2022 1:51 AM

Remote Link

New: This issue links to "Page (Confluence)" [ 622657 ]

Security Metrics Bot made changes - 20/Feb/2022 8:28 PM

CVE ID

New: CVE-2021-43948

AB made changes - 15/Feb/2022 3:37 AM

Resolution		New: Fixed [ 1 ]
Security	Original: Atlassian Staff [ 10750 ]
Status	Original: Draft [ 12872 ]	New: Published [ 12873 ]

AB made changes - 15/Feb/2022 3:35 AM

Summary

Original: Names of private objects are leaked to unauthorized users via the "Move objects" feature

New: Names of private objects are leaked to unauthorized users via the "Move objects" feature - CVE-2021-43948

AB made changes - 05/Jan/2022 5:18 AM

Description

Original: Affected versions of Atlassian Jira Service Management Server and Data Center allow authenticated remote attackers to view the names of private objects via an Insecure Direct Object References (IDOR) vulnerability in the "Move objects" feature. The affected versions are before version 4.21.0. *Affected versions:*  * version < 4.21.0 *Fixed versions:*  * 4.21.0

New: Affected versions of Atlassian Jira Service Management Server and Data Center allow authenticated remote attackers to view the names of private objects via an Improper Authorization vulnerability in the "Move objects" feature. The affected versions are before version 4.21.0. *Affected versions:*  * version < 4.21.0 *Fixed versions:*  * 4.21.0

AB made changes - 05/Jan/2022 5:13 AM

Description

Original: Affected versions of Atlassian Jira Service Management Server and Data Center allow {authenticated or anonymous?} remote attackers to (insert the impact of the IDOR, e.g. "modify Blah setting", or "view Blah information") via an Insecure Direct Object References (IDOR) vulnerability in {component}. ((Use the `; versions` script here to list the fixed and affected versions))

New: Affected versions of Atlassian Jira Service Management Server and Data Center allow authenticated remote attackers to view the names of private objects via an Insecure Direct Object References (IDOR) vulnerability in the "Move objects" feature. The affected versions are before version 4.21.0. *Affected versions:*  * version < 4.21.0 *Fixed versions:*  * 4.21.0

AB made changes - 05/Jan/2022 5:13 AM

Summary

Original: REST API Endpoint Leaked private object to unauthorized user via "Move objects" feature

New: Names of private objects are leaked to unauthorized users via the "Move objects" feature

AB made changes - 05/Jan/2022 5:12 AM

Description

Original: This vulnerability affects certain versions of Atlassian Jira Service Management Server. Please describe the impact of the vulnerability here. No known vulnerability could be read off of the parent.

New: Affected versions of Atlassian Jira Service Management Server and Data Center allow {authenticated or anonymous?} remote attackers to (insert the impact of the IDOR, e.g. "modify Blah setting", or "view Blah information") via an Insecure Direct Object References (IDOR) vulnerability in {component}. ((Use the `; versions` script here to list the fixed and affected versions))

AB made changes - 05/Jan/2022 5:12 AM

Summary

Original: REST API Endpoint Leaked private object to unauthorized user by [move object]

New: REST API Endpoint Leaked private object to unauthorized user via "Move objects" feature

Load more older history items