CVE-2021-26069

Published: Mar 22, 2021Modified: Nov 21, 2024

5.3

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Exploitability: 3.9 / Impact: 1.4

Source: NVD

Description

Affected versions of Atlassian Jira Server and Data Center allow unauthenticated remote attackers to download temporary files and enumerate project keys via an Information Disclosure vulnerability in the /rest/api/1.0/issues/{id}/ActionsAndOperations API endpoint. The affected versions are before version 8.5.11, from version 8.6.0 before 8.13.3, and from version 8.14.0 before 8.15.0.

Affected (6)

Products: Atlassian: Data Center, Jira, Jira Data Center, Jira Server

4 products

Configuration A

6 vulnerable

Vulnerable Software	Affected Versions
Atlassian Data Center	Before 8.5.11
Atlassian Data Center	From 8.6.0 to 8.13.3
Atlassian Jira	Before 8.5.11
Atlassian Jira Data Center	From 8.14.0 to 8.15.0
Atlassian Jira Server	From 8.14.0 to 8.15.0
Atlassian Jira Server	From 8.6.0 to 8.13.3

Related CWEs

CWE-74

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.

References (2)

https://jira.atlassian.com/browse/JRASERVER-72010

Source: security@atlassian.com

Issue TrackingPatchVendor Advisory

https://jira.atlassian.com/browse/JRASERVER-72010

Source: af854a3a-2127-422b-91ae-364da2661108

Issue TrackingPatchVendor Advisory

Timeline

No history available yet.