CVE-2021-39112

Published: Aug 25, 2021Modified: Nov 21, 2024

4.8

Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Exploitability: 1.7 / Impact: 2.7

Source: NVD

Description

Affected versions of Atlassian Jira Server and Data Center allow remote attackers to redirect users to a malicious URL via a reverse tabnapping vulnerability in the Project Shortcuts feature. The affected versions are before version 8.5.15, from version 8.6.0 before 8.13.7, from version 8.14.0 before 8.17.1, and from version 8.18.0 before 8.18.1.

Affected (8)

Products: Atlassian: Data Center, Jira, Jira Data Center, Jira Server

4 products

Configuration A

8 vulnerable

Vulnerable Software	Affected Versions
Atlassian Data Center	Before 8.5.15
Atlassian Jira	Before 8.5.15
Atlassian Jira Data Center	From 8.14.0 to 8.17.1
Atlassian Jira Data Center	From 8.18.0 to 8.18.1
Atlassian Jira Data Center	From 8.6.0 to 8.13.7
Atlassian Jira Server	From 8.14.0 to 8.17.1
Atlassian Jira Server	From 8.18.0 to 8.18.1
Atlassian Jira Server	From 8.6.0 to 8.13.7

Related CWEs

CWE-1022

Use of Web Link to Untrusted Target with window.opener Access

The web application produces links to untrusted external sites outside of its sphere of control, but it does not properly prevent the external site from modifying security-critical properties of the window.opener object, such as the location property.

CWE-601

URL Redirection to Untrusted Site ('Open Redirect')

A web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a Redirect. This simplifies phishing attacks.

References (2)

https://jira.atlassian.com/browse/JRASERVER-72433

Source: security@atlassian.com

PatchVendor Advisory

https://jira.atlassian.com/browse/JRASERVER-72433

Source: af854a3a-2127-422b-91ae-364da2661108

PatchVendor Advisory

Timeline

No history available yet.