Uploaded image for project: 'Jira Service Management Data Center'
  1. Jira Service Management Data Center
  2. JSDSERVER-10982

An unauthorized user can view private objects via the Custom Fields feature - CVE-2021-43949

XMLWordPrintable

    • 5.3
    • Medium
    • CVE-2021-43949

      Affected versions of Atlassian Jira Service Management Server and Data Center allow authenticated remote attackers to view private objects via a Broken Access Control vulnerability in the Custom Fields feature.

      The affected versions are before version 4.21.0.

      Affected versions:

      • version < 4.21.0

      Fixed versions:

      • 4.21.0

            [JSDSERVER-10982] An unauthorized user can view private objects via the Custom Fields feature - CVE-2021-43949

            David Black made changes -
            Labels Original: advisory advisory-to-release dont-import security New: advisory advisory-released dont-import security
            David Chan made changes -
            Fix Version/s New: 4.20.4 [ 98814 ]
            Security Metrics Bot made changes -
            CVE ID New: CVE-2021-43949
            AB made changes -
            Security Original: Atlassian Staff [ 10750 ]
            AB made changes -
            Resolution New: Fixed [ 1 ]
            Status Original: Draft [ 12872 ] New: Published [ 12873 ]
            AB made changes -
            Summary Original: An unauthorized user can view private objects via the Custom Fields feature - CVE registration for this issue is already in progress New: An unauthorized user can view private objects via the Custom Fields feature - CVE-2021-43949
            AB made changes -
            Summary Original: An unauthorized user can view private objects via the Custom Fields feature New: An unauthorized user can view private objects via the Custom Fields feature - CVE registration for this issue is already in progress
            AB made changes -
            Description Original:
            This vulnerability affects certain versions of Atlassian Jira Service Management Server. Please describe the impact of the vulnerability here. No known vulnerability could be read off of the parent.
            		 New: Affected versions of Atlassian Jira Service Management Server and Data Center allow authenticated remote attackers to view private objects via a Broken Access Control vulnerability in the Custom Fields feature.

            The affected versions are before version 4.21.0.

            *Affected versions:*

             * version < 4.21.0

            *Fixed versions:*

             * 4.21.0
            AB made changes -
            Summary Original: REST API Endpoint Leaked private object by [Custom Fields] to unauthorized user New: An unauthorized user can view private objects via the Custom Fields feature
            Security Metrics Bot made changes -
            Labels New: advisory advisory-to-release dont-import security
            Security Metrics Bot created issue -

              Unassigned Unassigned
              security-metrics-bot Security Metrics Bot
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated:
                Resolved: