CVE-2021-39126

Published: Oct 21, 2021Modified: Nov 21, 2024

6.5

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

Exploitability: 2.8 / Impact: 3.6

Source: NVD

Description

Affected versions of Atlassian Jira Server and Data Center allow remote attackers to modify various resources via a Cross-Site Request Forgery (CSRF) vulnerability, following an Information Disclosure vulnerability in the referrer headers which discloses a user's CSRF token. The affected versions are before version 8.5.10, and from version 8.6.0 before 8.13.1.

Affected (4)

Products: Atlassian: Jira Data Center, Jira Server

Atlassian

2 products

Jira Data Center

Jira Server

Configuration A

4 vulnerable

Vulnerable Software	Affected Versions
Atlassian Jira Data Center	Before 8.5.10
Atlassian Jira Data Center	From 8.6.0 to 8.13.1
Atlassian Jira Server	Before 8.5.10
Atlassian Jira Server	From 8.6.0 to 8.13.1

Related CWEs

CWE-352

Cross-Site Request Forgery (CSRF)

The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

References (2)

https://jira.atlassian.com/browse/JRASERVER-71806

Source: security@atlassian.com

Issue TrackingPatchVendor Advisory

https://jira.atlassian.com/browse/JRASERVER-71806

Source: af854a3a-2127-422b-91ae-364da2661108

Issue TrackingPatchVendor Advisory

Timeline

No history available yet.