Search

Find a vulnerability

Search criteria

    198 vulnerabilities found for Jira Server by Atlassian

    CVE-2019-15002 (GCVE-0-2019-15002)

    Vulnerability from nvd – Published: 2025-02-11 17:24 – Updated: 2025-03-13 14:15
    VLAI
    Summary
    An exploitable CSRF vulnerability exists in Atlassian Jira, from versions 7.6.4 to 8.1.0. The login form doesn’t require a CSRF token. As a result, an attacker can log a user into the system under an unexpected account.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • Cross-Site Request Forgery
    • CWE-352 - Cross-Site Request Forgery (CSRF)
    Assigner
    References
    Impacted products
    Vendor Product Version
    Atlassian Jira Server Unaffected: unspecified , < 7.6.4 (custom)
    Affected: unspecified , < 8.1.0 (custom)
    Create a notification for this product.
    Atlassian Jira Data Center Unaffected: unspecified , < 7.6.4 (custom)
    Affected: unspecified , < 8.1.0 (custom)
    Create a notification for this product.
    Date Public
    2019-09-16 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 4.3,
                  "baseSeverity": "MEDIUM",
                  "confidentialityImpact": "LOW",
                  "integrityImpact": "NONE",
                  "privilegesRequired": "LOW",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2019-15002",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-02-28T20:49:41.973789Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-352",
                    "description": "CWE-352 Cross-Site Request Forgery (CSRF)",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-03-13T14:15:39.823Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Jira Server",
              "vendor": "Atlassian",
              "versions": [
                {
                  "lessThan": "7.6.4",
                  "status": "unaffected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThan": "8.1.0",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "Jira Data Center",
              "vendor": "Atlassian",
              "versions": [
                {
                  "lessThan": "7.6.4",
                  "status": "unaffected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThan": "8.1.0",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2019-09-16T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "An exploitable CSRF vulnerability exists in Atlassian Jira, from versions 7.6.4 to 8.1.0. The login form doesn\u2019t require a CSRF token. As a result, an attacker can log a user into the system under an unexpected account."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Cross-Site Request Forgery",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-02-11T17:24:15.763Z",
            "orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
            "shortName": "atlassian"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://jira.atlassian.com/browse/JRASERVER-67979"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
        "assignerShortName": "atlassian",
        "cveId": "CVE-2019-15002",
        "datePublished": "2025-02-11T17:24:15.763Z",
        "dateReserved": "2019-08-13T00:00:00.000Z",
        "dateUpdated": "2025-03-13T14:15:39.823Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2022-36801 (GCVE-0-2022-36801)

    Vulnerability from nvd – Published: 2022-08-10 02:20 – Updated: 2024-10-29 15:15
    VLAI
    Summary
    Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to inject arbitrary HTML or JavaScript via a Reflected Cross-Site Scripting (RXSS) vulnerability in the TeamManagement.jspa endpoint. The affected versions are before version 8.20.8.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • Reflected Cross-Site Scripting (RXSS)
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    References
    Impacted products
    Vendor Product Version
    Atlassian Jira Server Affected: unspecified , < 8.20.8 (custom)
    Create a notification for this product.
    Atlassian Jira Data Center Affected: unspecified , < 8.20.8 (custom)
    Create a notification for this product.
    Date Public
    2022-08-09 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T10:14:28.388Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://jira.atlassian.com/browse/JRASERVER-73740"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 6.1,
                  "baseSeverity": "MEDIUM",
                  "confidentialityImpact": "LOW",
                  "integrityImpact": "LOW",
                  "privilegesRequired": "NONE",
                  "scope": "CHANGED",
                  "userInteraction": "REQUIRED",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2022-36801",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-10-02T14:13:24.699295Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-79",
                    "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-10-29T15:15:10.791Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Jira Server",
              "vendor": "Atlassian",
              "versions": [
                {
                  "lessThan": "8.20.8",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "Jira Data Center",
              "vendor": "Atlassian",
              "versions": [
                {
                  "lessThan": "8.20.8",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2022-08-09T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to inject arbitrary HTML or JavaScript via a Reflected Cross-Site Scripting (RXSS) vulnerability in the TeamManagement.jspa endpoint. The affected versions are before version 8.20.8."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Reflected Cross-Site Scripting (RXSS)",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-08-10T02:20:09.000Z",
            "orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
            "shortName": "atlassian"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://jira.atlassian.com/browse/JRASERVER-73740"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@atlassian.com",
              "DATE_PUBLIC": "2022-08-09T00:00:00",
              "ID": "CVE-2022-36801",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Jira Server",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.20.8"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "Jira Data Center",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.20.8"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Atlassian"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to inject arbitrary HTML or JavaScript via a Reflected Cross-Site Scripting (RXSS) vulnerability in the TeamManagement.jspa endpoint. The affected versions are before version 8.20.8."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Reflected Cross-Site Scripting (RXSS)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://jira.atlassian.com/browse/JRASERVER-73740",
                  "refsource": "MISC",
                  "url": "https://jira.atlassian.com/browse/JRASERVER-73740"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
        "assignerShortName": "atlassian",
        "cveId": "CVE-2022-36801",
        "datePublished": "2022-08-10T02:20:09.601Z",
        "dateReserved": "2022-07-26T00:00:00.000Z",
        "dateUpdated": "2024-10-29T15:15:10.791Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2022-36799 (GCVE-0-2022-36799)

    Vulnerability from nvd – Published: 2022-08-01 01:15 – Updated: 2024-10-03 18:44
    VLAI
    Summary
    This issue exists to document that a security improvement in the way that Jira Server and Data Center use templates has been implemented. Affected versions of Atlassian Jira Server and Data Center allowed remote attackers with system administrator permissions to execute arbitrary code via Template Injection leading to Remote Code Execution (RCE) in the Email Templates feature. In this case the security improvement was to protect against using the XStream library to be able to execute arbitrary code in velocity templates. The affected versions are before version 8.13.19, from version 8.14.0 before 8.20.7, and from version 8.21.0 before 8.22.1.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • Remote Code Execution (RCE)
    • CWE-94 - Improper Control of Generation of Code ('Code Injection')
    Assigner
    References
    Impacted products
    Vendor Product Version
    Atlassian Jira Server Affected: unspecified , < 8.13.19 (custom)
    Affected: 8.14.0 , < unspecified (custom)
    Affected: unspecified , < 8.20.7 (custom)
    Affected: 8.21.0 , < unspecified (custom)
    Affected: unspecified , < 8.22.1 (custom)
    Create a notification for this product.
    Atlassian Jira Data Center Affected: unspecified , < 8.13.19 (custom)
    Affected: 8.14.0 , < unspecified (custom)
    Affected: unspecified , < 8.20.7 (custom)
    Affected: 8.21.0 , < unspecified (custom)
    Affected: unspecified , < 8.22.1 (custom)
    Create a notification for this product.
    atlassian jira_server Affected: 0 , < 8.13.19 (custom)
    Affected: 8.14.0 , < 8.20.7 (custom)
    Affected: 8.21.0 , < 8.22.1 (custom)
        cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*
    Create a notification for this product.
    atlassian jira_data_center Affected: 0 , < 8.13.19 (custom)
    Affected: 8.14.0 , < 8.20.7 (custom)
    Affected: 8.21.0 , < 8.22.1 (custom)
        cpe:2.3:a:atlassian:jira_data_center:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Date Public
    2022-07-29 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T10:14:28.495Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://jira.atlassian.com/browse/JRASERVER-73582"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "jira_server",
                "vendor": "atlassian",
                "versions": [
                  {
                    "lessThan": "8.13.19",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  },
                  {
                    "lessThan": "8.20.7",
                    "status": "affected",
                    "version": "8.14.0",
                    "versionType": "custom"
                  },
                  {
                    "lessThan": "8.22.1",
                    "status": "affected",
                    "version": "8.21.0",
                    "versionType": "custom"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:a:atlassian:jira_data_center:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "jira_data_center",
                "vendor": "atlassian",
                "versions": [
                  {
                    "lessThan": "8.13.19",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  },
                  {
                    "lessThan": "8.20.7",
                    "status": "affected",
                    "version": "8.14.0",
                    "versionType": "custom"
                  },
                  {
                    "lessThan": "8.22.1",
                    "status": "affected",
                    "version": "8.21.0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "HIGH",
                  "baseScore": 7.2,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "HIGH",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2022-36799",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-10-03T18:37:25.567188Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-94",
                    "description": "CWE-94 Improper Control of Generation of Code (\u0027Code Injection\u0027)",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-10-03T18:44:09.152Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Jira Server",
              "vendor": "Atlassian",
              "versions": [
                {
                  "lessThan": "8.13.19",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThan": "unspecified",
                  "status": "affected",
                  "version": "8.14.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "8.20.7",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThan": "unspecified",
                  "status": "affected",
                  "version": "8.21.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "8.22.1",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "Jira Data Center",
              "vendor": "Atlassian",
              "versions": [
                {
                  "lessThan": "8.13.19",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThan": "unspecified",
                  "status": "affected",
                  "version": "8.14.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "8.20.7",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThan": "unspecified",
                  "status": "affected",
                  "version": "8.21.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "8.22.1",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2022-07-29T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "This issue exists to document that a security improvement in the way that Jira Server and Data Center use templates has been implemented. Affected versions of Atlassian Jira Server and Data Center allowed remote attackers with system administrator permissions to execute arbitrary code via Template Injection leading to Remote Code Execution (RCE) in the Email Templates feature. In this case the security improvement was to protect against using the XStream library to be able to execute arbitrary code in velocity templates. The affected versions are before version 8.13.19, from version 8.14.0 before 8.20.7, and from version 8.21.0 before 8.22.1."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Remote Code Execution (RCE)",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-08-01T01:15:12.000Z",
            "orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
            "shortName": "atlassian"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://jira.atlassian.com/browse/JRASERVER-73582"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@atlassian.com",
              "DATE_PUBLIC": "2022-07-29T00:00:00",
              "ID": "CVE-2022-36799",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Jira Server",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.13.19"
                              },
                              {
                                "version_affected": "\u003e=",
                                "version_value": "8.14.0"
                              },
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.20.7"
                              },
                              {
                                "version_affected": "\u003e=",
                                "version_value": "8.21.0"
                              },
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.22.1"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "Jira Data Center",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.13.19"
                              },
                              {
                                "version_affected": "\u003e=",
                                "version_value": "8.14.0"
                              },
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.20.7"
                              },
                              {
                                "version_affected": "\u003e=",
                                "version_value": "8.21.0"
                              },
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.22.1"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Atlassian"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "This issue exists to document that a security improvement in the way that Jira Server and Data Center use templates has been implemented. Affected versions of Atlassian Jira Server and Data Center allowed remote attackers with system administrator permissions to execute arbitrary code via Template Injection leading to Remote Code Execution (RCE) in the Email Templates feature. In this case the security improvement was to protect against using the XStream library to be able to execute arbitrary code in velocity templates. The affected versions are before version 8.13.19, from version 8.14.0 before 8.20.7, and from version 8.21.0 before 8.22.1."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Remote Code Execution (RCE)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://jira.atlassian.com/browse/JRASERVER-73582",
                  "refsource": "MISC",
                  "url": "https://jira.atlassian.com/browse/JRASERVER-73582"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
        "assignerShortName": "atlassian",
        "cveId": "CVE-2022-36799",
        "datePublished": "2022-08-01T01:15:12.567Z",
        "dateReserved": "2022-07-26T00:00:00.000Z",
        "dateUpdated": "2024-10-03T18:44:09.152Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-43944 (GCVE-0-2021-43944)

    Vulnerability from nvd – Published: 2022-03-08 02:00 – Updated: 2024-10-04 18:45
    VLAI
    Summary
    This issue exists to document that a security improvement in the way that Jira Server and Data Center use templates has been implemented. Affected versions of Atlassian Jira Server and Data Center allowed remote attackers with system administrator permissions to execute arbitrary code via Template Injection leading to Remote Code Execution (RCE) in the Email Templates feature. The affected versions are before version 8.13.15, and from version 8.14.0 before 8.20.3.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • Remote Code Execution (RCE)
    • CWE-94 - Improper Control of Generation of Code ('Code Injection')
    Assigner
    References
    Impacted products
    Vendor Product Version
    Atlassian Jira Server Affected: unspecified , < 8.13.15 (custom)
    Affected: 8.14.0 , < unspecified (custom)
    Affected: unspecified , < 8.20.3 (custom)
    Create a notification for this product.
    Atlassian Jira Data Center Affected: unspecified , < 8.13.15 (custom)
    Affected: 8.14.0 , < unspecified (custom)
    Affected: unspecified , < 8.20.3 (custom)
    Create a notification for this product.
    atlassian jira_data_center Affected: 0 , < 8.13.15 (custom)
    Affected: 8.14.0 , < 8.20.3 (custom)
        cpe:2.3:a:atlassian:jira_data_center:*:*:*:*:*:*:*:*
    Create a notification for this product.
    atlassian jira_server Affected: 0 , < 8.13.15 (custom)
    Affected: 8.14.0 , < 8.20.3 (custom)
        cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Date Public
    2021-12-31 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T04:10:17.165Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://jira.atlassian.com/browse/JRASERVER-73072"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:atlassian:jira_data_center:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "jira_data_center",
                "vendor": "atlassian",
                "versions": [
                  {
                    "lessThan": "8.13.15",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  },
                  {
                    "lessThan": "8.20.3",
                    "status": "affected",
                    "version": "8.14.0",
                    "versionType": "custom"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "jira_server",
                "vendor": "atlassian",
                "versions": [
                  {
                    "lessThan": "8.13.15",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  },
                  {
                    "lessThan": "8.20.3",
                    "status": "affected",
                    "version": "8.14.0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "HIGH",
                  "baseScore": 7.2,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "HIGH",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2021-43944",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-10-04T18:13:12.369938Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-94",
                    "description": "CWE-94 Improper Control of Generation of Code (\u0027Code Injection\u0027)",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-10-04T18:45:21.133Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Jira Server",
              "vendor": "Atlassian",
              "versions": [
                {
                  "lessThan": "8.13.15",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThan": "unspecified",
                  "status": "affected",
                  "version": "8.14.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "8.20.3",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "Jira Data Center",
              "vendor": "Atlassian",
              "versions": [
                {
                  "lessThan": "8.13.15",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThan": "unspecified",
                  "status": "affected",
                  "version": "8.14.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "8.20.3",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2021-12-31T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "This issue exists to document that a security improvement in the way that Jira Server and Data Center use templates has been implemented. Affected versions of Atlassian Jira Server and Data Center allowed remote attackers with system administrator permissions to execute arbitrary code via Template Injection leading to Remote Code Execution (RCE) in the Email Templates feature. The affected versions are before version 8.13.15, and from version 8.14.0 before 8.20.3."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Remote Code Execution (RCE)",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-03-08T02:00:13.000Z",
            "orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
            "shortName": "atlassian"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://jira.atlassian.com/browse/JRASERVER-73072"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@atlassian.com",
              "DATE_PUBLIC": "2021-12-31T00:00:00",
              "ID": "CVE-2021-43944",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Jira Server",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.13.15"
                              },
                              {
                                "version_affected": "\u003e=",
                                "version_value": "8.14.0"
                              },
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.20.3"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "Jira Data Center",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.13.15"
                              },
                              {
                                "version_affected": "\u003e=",
                                "version_value": "8.14.0"
                              },
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.20.3"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Atlassian"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "This issue exists to document that a security improvement in the way that Jira Server and Data Center use templates has been implemented. Affected versions of Atlassian Jira Server and Data Center allowed remote attackers with system administrator permissions to execute arbitrary code via Template Injection leading to Remote Code Execution (RCE) in the Email Templates feature. The affected versions are before version 8.13.15, and from version 8.14.0 before 8.20.3."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Remote Code Execution (RCE)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://jira.atlassian.com/browse/JRASERVER-73072",
                  "refsource": "MISC",
                  "url": "https://jira.atlassian.com/browse/JRASERVER-73072"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
        "assignerShortName": "atlassian",
        "cveId": "CVE-2021-43944",
        "datePublished": "2022-03-08T02:00:13.209Z",
        "dateReserved": "2021-11-16T00:00:00.000Z",
        "dateUpdated": "2024-10-04T18:45:21.133Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-43945 (GCVE-0-2021-43945)

    Vulnerability from nvd – Published: 2022-02-28 00:20 – Updated: 2024-10-04 18:12
    VLAI
    Summary
    Affected versions of Atlassian Jira Server and Data Center allow remote attackers with Roadmaps Administrator permissions to inject arbitrary HTML or JavaScript via a Stored Cross-Site Scripting (SXSS) vulnerability in the /rest/jpo/1.0/hierarchyConfiguration endpoint. The affected versions are before version 8.20.3.
    Severity
    No CVSS data available.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • Stored Cross-Site Scripting (SXSS)
    Assigner
    References
    Impacted products
    Vendor Product Version
    Atlassian Jira Server Affected: unspecified , < 8.20.3 (custom)
    Create a notification for this product.
    Atlassian Jira Data Center Affected: unspecified , < 8.20.3 (custom)
    Create a notification for this product.
    Date Public
    2021-12-31 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T04:10:17.223Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://jira.atlassian.com/browse/JRASERVER-73069"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2021-43945",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-10-04T18:12:39.802413Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-10-04T18:12:49.031Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Jira Server",
              "vendor": "Atlassian",
              "versions": [
                {
                  "lessThan": "8.20.3",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "Jira Data Center",
              "vendor": "Atlassian",
              "versions": [
                {
                  "lessThan": "8.20.3",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2021-12-31T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Affected versions of Atlassian Jira Server and Data Center allow remote attackers with Roadmaps Administrator permissions to inject arbitrary HTML or JavaScript via a Stored Cross-Site Scripting (SXSS) vulnerability in the /rest/jpo/1.0/hierarchyConfiguration endpoint. The affected versions are before version 8.20.3."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Stored Cross-Site Scripting (SXSS)",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-02-28T00:20:09.000Z",
            "orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
            "shortName": "atlassian"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://jira.atlassian.com/browse/JRASERVER-73069"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@atlassian.com",
              "DATE_PUBLIC": "2021-12-31T00:00:00",
              "ID": "CVE-2021-43945",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Jira Server",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.20.3"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "Jira Data Center",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.20.3"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Atlassian"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Affected versions of Atlassian Jira Server and Data Center allow remote attackers with Roadmaps Administrator permissions to inject arbitrary HTML or JavaScript via a Stored Cross-Site Scripting (SXSS) vulnerability in the /rest/jpo/1.0/hierarchyConfiguration endpoint. The affected versions are before version 8.20.3."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Stored Cross-Site Scripting (SXSS)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://jira.atlassian.com/browse/JRASERVER-73069",
                  "refsource": "MISC",
                  "url": "https://jira.atlassian.com/browse/JRASERVER-73069"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
        "assignerShortName": "atlassian",
        "cveId": "CVE-2021-43945",
        "datePublished": "2022-02-28T00:20:09.118Z",
        "dateReserved": "2021-11-16T00:00:00.000Z",
        "dateUpdated": "2024-10-04T18:12:49.031Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-43941 (GCVE-0-2021-43941)

    Vulnerability from nvd – Published: 2022-02-15 03:30 – Updated: 2024-10-08 17:37
    VLAI
    Summary
    Affected versions of Atlassian Jira Server and Data Center allow remote attackers to modify several resources (including CsvFieldMappingsPage.jspa and ImporterValueMappingsPage.jspa) via a Cross-Site Request Forgery (CSRF) vulnerability in the jira-importers-plugin. The affected versions are before version 8.13.15, and from version 8.14.0 before 8.20.3.
    Severity
    No CVSS data available.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • Cross Site Request Forgery (CSRF)
    Assigner
    References
    Impacted products
    Vendor Product Version
    Atlassian Jira Server Affected: unspecified , < 8.13.15 (custom)
    Affected: 8.14.0 , < unspecified (custom)
    Affected: unspecified , < 8.20.3 (custom)
    Create a notification for this product.
    Atlassian Jira Data Center Affected: unspecified , < 8.13.15 (custom)
    Affected: 8.14.0 , < unspecified (custom)
    Affected: unspecified , < 8.20.3 (custom)
    Create a notification for this product.
    Date Public
    2021-12-28 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T04:10:17.147Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://jira.atlassian.com/browse/JRASERVER-73073"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2021-43941",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-10-08T17:37:11.606863Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-10-08T17:37:25.273Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Jira Server",
              "vendor": "Atlassian",
              "versions": [
                {
                  "lessThan": "8.13.15",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThan": "unspecified",
                  "status": "affected",
                  "version": "8.14.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "8.20.3",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "Jira Data Center",
              "vendor": "Atlassian",
              "versions": [
                {
                  "lessThan": "8.13.15",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThan": "unspecified",
                  "status": "affected",
                  "version": "8.14.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "8.20.3",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2021-12-28T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Affected versions of Atlassian Jira Server and Data Center allow remote attackers to modify several resources (including CsvFieldMappingsPage.jspa and ImporterValueMappingsPage.jspa) via a Cross-Site Request Forgery (CSRF) vulnerability in the jira-importers-plugin. The affected versions are before version 8.13.15, and from version 8.14.0 before 8.20.3."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Cross Site Request Forgery (CSRF)",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-02-15T03:30:09.000Z",
            "orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
            "shortName": "atlassian"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://jira.atlassian.com/browse/JRASERVER-73073"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@atlassian.com",
              "DATE_PUBLIC": "2021-12-28T00:00:00",
              "ID": "CVE-2021-43941",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Jira Server",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.13.15"
                              },
                              {
                                "version_affected": "\u003e=",
                                "version_value": "8.14.0"
                              },
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.20.3"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "Jira Data Center",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.13.15"
                              },
                              {
                                "version_affected": "\u003e=",
                                "version_value": "8.14.0"
                              },
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.20.3"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Atlassian"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Affected versions of Atlassian Jira Server and Data Center allow remote attackers to modify several resources (including CsvFieldMappingsPage.jspa and ImporterValueMappingsPage.jspa) via a Cross-Site Request Forgery (CSRF) vulnerability in the jira-importers-plugin. The affected versions are before version 8.13.15, and from version 8.14.0 before 8.20.3."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Cross Site Request Forgery (CSRF)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://jira.atlassian.com/browse/JRASERVER-73073",
                  "refsource": "MISC",
                  "url": "https://jira.atlassian.com/browse/JRASERVER-73073"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
        "assignerShortName": "atlassian",
        "cveId": "CVE-2021-43941",
        "datePublished": "2022-02-15T03:30:09.668Z",
        "dateReserved": "2021-11-16T00:00:00.000Z",
        "dateUpdated": "2024-10-08T17:37:25.273Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-43953 (GCVE-0-2021-43953)

    Vulnerability from nvd – Published: 2022-02-15 02:40 – Updated: 2024-10-08 14:38
    VLAI
    Summary
    Affected versions of Atlassian Jira Server and Data Center allow unauthenticated remote attackers to toggle the Thread Contention and CPU monitoring settings via a Cross-Site Request Forgery (CSRF) vulnerability in the /secure/admin/ViewInstrumentation.jspa endpoint. The affected versions are before version 8.13.16, and from version 8.14.0 before 8.20.5.
    Severity
    No CVSS data available.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • Cross-Site Request Forgery (CSRF)
    Assigner
    References
    Impacted products
    Vendor Product Version
    Atlassian Jira Server Affected: unspecified , < 8.13.16 (custom)
    Affected: next of 8.14.0 , < unspecified (custom)
    Affected: unspecified , < 8.20.5 (custom)
    Create a notification for this product.
    Atlassian Jira Data Center Affected: unspecified , < 8.13.16 (custom)
    Affected: next of 8.14.0 , < unspecified (custom)
    Affected: unspecified , < 8.20.5 (custom)
    Create a notification for this product.
    Date Public
    2022-01-06 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T04:10:16.450Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://jira.atlassian.com/browse/JRASERVER-73170"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2021-43953",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-10-08T14:38:34.132122Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-10-08T14:38:59.629Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Jira Server",
              "vendor": "Atlassian",
              "versions": [
                {
                  "lessThan": "8.13.16",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThan": "unspecified",
                  "status": "affected",
                  "version": "next of 8.14.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "8.20.5",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "Jira Data Center",
              "vendor": "Atlassian",
              "versions": [
                {
                  "lessThan": "8.13.16",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThan": "unspecified",
                  "status": "affected",
                  "version": "next of 8.14.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "8.20.5",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2022-01-06T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Affected versions of Atlassian Jira Server and Data Center allow unauthenticated remote attackers to toggle the Thread Contention and CPU monitoring settings via a Cross-Site Request Forgery (CSRF) vulnerability in the /secure/admin/ViewInstrumentation.jspa endpoint. The affected versions are before version 8.13.16, and from version 8.14.0 before 8.20.5."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Cross-Site Request Forgery (CSRF)",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-03-14T01:45:17.000Z",
            "orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
            "shortName": "atlassian"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://jira.atlassian.com/browse/JRASERVER-73170"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@atlassian.com",
              "DATE_PUBLIC": "2022-01-06T00:00:00",
              "ID": "CVE-2021-43953",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Jira Server",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.13.16"
                              },
                              {
                                "version_affected": "\u003e",
                                "version_value": "8.14.0"
                              },
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.20.5"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "Jira Data Center",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.13.16"
                              },
                              {
                                "version_affected": "\u003e",
                                "version_value": "8.14.0"
                              },
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.20.5"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Atlassian"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Affected versions of Atlassian Jira Server and Data Center allow unauthenticated remote attackers to toggle the Thread Contention and CPU monitoring settings via a Cross-Site Request Forgery (CSRF) vulnerability in the /secure/admin/ViewInstrumentation.jspa endpoint. The affected versions are before version 8.13.16, and from version 8.14.0 before 8.20.5."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Cross-Site Request Forgery (CSRF)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://jira.atlassian.com/browse/JRASERVER-73170",
                  "refsource": "MISC",
                  "url": "https://jira.atlassian.com/browse/JRASERVER-73170"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
        "assignerShortName": "atlassian",
        "cveId": "CVE-2021-43953",
        "datePublished": "2022-02-15T02:40:10.288Z",
        "dateReserved": "2021-11-16T00:00:00.000Z",
        "dateUpdated": "2024-10-08T14:38:59.629Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-43952 (GCVE-0-2021-43952)

    Vulnerability from nvd – Published: 2022-02-15 00:45 – Updated: 2024-10-04 18:11
    VLAI
    Summary
    Affected versions of Atlassian Jira Server and Data Center allow unauthenticated remote attackers to restore the default configuration of fields via a Cross-Site Request Forgery (CSRF) vulnerability in the /secure/admin/RestoreDefaults.jspa endpoint. The affected versions are before version 8.21.0.
    Severity
    No CVSS data available.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • Cross-Site Request Forgery (CSRF)
    Assigner
    References
    Impacted products
    Vendor Product Version
    Atlassian Jira Server Affected: unspecified , < 8.21.0 (custom)
    Create a notification for this product.
    Atlassian Jira Data Center Affected: unspecified , < 8.21.0 (custom)
    Create a notification for this product.
    Date Public
    2022-01-06 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T04:10:17.284Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://jira.atlassian.com/browse/JRASERVER-73138"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2021-43952",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-10-04T18:11:48.528564Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-10-04T18:11:59.302Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Jira Server",
              "vendor": "Atlassian",
              "versions": [
                {
                  "lessThan": "8.21.0",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "Jira Data Center",
              "vendor": "Atlassian",
              "versions": [
                {
                  "lessThan": "8.21.0",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2022-01-06T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Affected versions of Atlassian Jira Server and Data Center allow unauthenticated remote attackers to restore the default configuration of fields via a Cross-Site Request Forgery (CSRF) vulnerability in the /secure/admin/RestoreDefaults.jspa endpoint. The affected versions are before version 8.21.0."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Cross-Site Request Forgery (CSRF)",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-02-15T00:45:09.000Z",
            "orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
            "shortName": "atlassian"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://jira.atlassian.com/browse/JRASERVER-73138"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@atlassian.com",
              "DATE_PUBLIC": "2022-01-06T00:00:00",
              "ID": "CVE-2021-43952",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Jira Server",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.21.0"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "Jira Data Center",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.21.0"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Atlassian"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Affected versions of Atlassian Jira Server and Data Center allow unauthenticated remote attackers to restore the default configuration of fields via a Cross-Site Request Forgery (CSRF) vulnerability in the /secure/admin/RestoreDefaults.jspa endpoint. The affected versions are before version 8.21.0."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Cross-Site Request Forgery (CSRF)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://jira.atlassian.com/browse/JRASERVER-73138",
                  "refsource": "MISC",
                  "url": "https://jira.atlassian.com/browse/JRASERVER-73138"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
        "assignerShortName": "atlassian",
        "cveId": "CVE-2021-43952",
        "datePublished": "2022-02-15T00:45:10.037Z",
        "dateReserved": "2021-11-16T00:00:00.000Z",
        "dateUpdated": "2024-10-04T18:11:59.302Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-43947 (GCVE-0-2021-43947)

    Vulnerability from nvd – Published: 2022-01-06 01:05 – Updated: 2024-10-08 14:34
    VLAI
    Summary
    Affected versions of Atlassian Jira Server and Data Center allow remote attackers with administrator privileges to execute arbitrary code via a Remote Code Execution (RCE) vulnerability in the Email Templates feature. This issue bypasses the fix of https://jira.atlassian.com/browse/JSDSERVER-8665. The affected versions are before version 8.13.15, and from version 8.14.0 before 8.20.3.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • Remote Code Execution (RCE)
    Assigner
    References
    Impacted products
    Vendor Product Version
    Atlassian Jira Server Affected: unspecified , < 8.13.15 (custom)
    Affected: 8.14.0 , < unspecified (custom)
    Affected: unspecified , < 8.20.3 (custom)
    Create a notification for this product.
    Atlassian Jira Data Center Affected: unspecified , < 8.13.15 (custom)
    Affected: 8.14.0 , < unspecified (custom)
    Affected: unspecified , < 8.20.3 (custom)
    Create a notification for this product.
    atlassian jira_data_center Affected: 0 , < 8.13.15 (custom)
    Affected: 8.14.0 , < 8.20.3 (custom)
        cpe:2.3:a:atlassian:jira_data_center:*:*:*:*:*:*:*:*
    Create a notification for this product.
    atlassian jira_server Affected: 0 , < 8.13.15 (custom)
    Affected: 8.14.0 , < 8.20.3 (custom)
        cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Date Public
    2022-01-05 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T04:10:17.270Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://jira.atlassian.com/browse/JRASERVER-73067"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:atlassian:jira_data_center:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "jira_data_center",
                "vendor": "atlassian",
                "versions": [
                  {
                    "lessThan": "8.13.15",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  },
                  {
                    "lessThan": "8.20.3",
                    "status": "affected",
                    "version": "8.14.0",
                    "versionType": "custom"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "jira_server",
                "vendor": "atlassian",
                "versions": [
                  {
                    "lessThan": "8.13.15",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  },
                  {
                    "lessThan": "8.20.3",
                    "status": "affected",
                    "version": "8.14.0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "HIGH",
                  "baseScore": 7.2,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "HIGH",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2021-43947",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-10-08T14:28:34.740441Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-10-08T14:34:08.233Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Jira Server",
              "vendor": "Atlassian",
              "versions": [
                {
                  "lessThan": "8.13.15",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThan": "unspecified",
                  "status": "affected",
                  "version": "8.14.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "8.20.3",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "Jira Data Center",
              "vendor": "Atlassian",
              "versions": [
                {
                  "lessThan": "8.13.15",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThan": "unspecified",
                  "status": "affected",
                  "version": "8.14.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "8.20.3",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2022-01-05T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Affected versions of Atlassian Jira Server and Data Center allow remote attackers with administrator privileges to execute arbitrary code via a Remote Code Execution (RCE) vulnerability in the Email Templates feature. This issue bypasses the fix of https://jira.atlassian.com/browse/JSDSERVER-8665. The affected versions are before version 8.13.15, and from version 8.14.0 before 8.20.3."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Remote Code Execution (RCE)",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-01-06T01:05:09.000Z",
            "orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
            "shortName": "atlassian"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://jira.atlassian.com/browse/JRASERVER-73067"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@atlassian.com",
              "DATE_PUBLIC": "2022-01-05T00:00:00",
              "ID": "CVE-2021-43947",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Jira Server",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.13.15"
                              },
                              {
                                "version_affected": "\u003e=",
                                "version_value": "8.14.0"
                              },
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.20.3"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "Jira Data Center",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.13.15"
                              },
                              {
                                "version_affected": "\u003e=",
                                "version_value": "8.14.0"
                              },
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.20.3"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Atlassian"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Affected versions of Atlassian Jira Server and Data Center allow remote attackers with administrator privileges to execute arbitrary code via a Remote Code Execution (RCE) vulnerability in the Email Templates feature. This issue bypasses the fix of https://jira.atlassian.com/browse/JSDSERVER-8665. The affected versions are before version 8.13.15, and from version 8.14.0 before 8.20.3."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Remote Code Execution (RCE)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://jira.atlassian.com/browse/JRASERVER-73067",
                  "refsource": "MISC",
                  "url": "https://jira.atlassian.com/browse/JRASERVER-73067"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
        "assignerShortName": "atlassian",
        "cveId": "CVE-2021-43947",
        "datePublished": "2022-01-06T01:05:10.045Z",
        "dateReserved": "2021-11-16T00:00:00.000Z",
        "dateUpdated": "2024-10-08T14:34:08.233Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-43946 (GCVE-0-2021-43946)

    Vulnerability from nvd – Published: 2022-01-05 03:40 – Updated: 2024-10-08 14:24
    VLAI
    Summary
    Affected versions of Atlassian Jira Server and Data Center allow authenticated remote attackers to add administrator groups to filter subscriptions via a Broken Access Control vulnerability in the /secure/EditSubscription.jspa endpoint. The affected versions are before version 8.13.21, and from version 8.14.0 before 8.20.9.
    Severity
    No CVSS data available.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • Improper Authorization
    Assigner
    References
    Impacted products
    Vendor Product Version
    Atlassian Jira Server Affected: unspecified , < 8.13.21 (custom)
    Affected: 8.14.0 , < unspecified (custom)
    Affected: unspecified , < 8.20.9 (custom)
    Create a notification for this product.
    Atlassian Jira Data Center Affected: unspecified , < 8.13.21 (custom)
    Affected: 8.14.0 , < unspecified (custom)
    Affected: unspecified , < 8.20.9 (custom)
    Create a notification for this product.
    Date Public
    2021-12-31 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T04:10:17.348Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://jira.atlassian.com/browse/JRASERVER-73071"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2021-43946",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-10-08T14:23:52.557550Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-10-08T14:24:15.786Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Jira Server",
              "vendor": "Atlassian",
              "versions": [
                {
                  "lessThan": "8.13.21",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThan": "unspecified",
                  "status": "affected",
                  "version": "8.14.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "8.20.9",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "Jira Data Center",
              "vendor": "Atlassian",
              "versions": [
                {
                  "lessThan": "8.13.21",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThan": "unspecified",
                  "status": "affected",
                  "version": "8.14.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "8.20.9",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2021-12-31T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Affected versions of Atlassian Jira Server and Data Center allow authenticated remote attackers to add administrator groups to filter subscriptions via a Broken Access Control vulnerability in the /secure/EditSubscription.jspa endpoint. The affected versions are before version 8.13.21, and from version 8.14.0 before 8.20.9."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Improper Authorization",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-11-14T00:00:00.000Z",
            "orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
            "shortName": "atlassian"
          },
          "references": [
            {
              "url": "https://jira.atlassian.com/browse/JRASERVER-73071"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
        "assignerShortName": "atlassian",
        "cveId": "CVE-2021-43946",
        "datePublished": "2022-01-05T03:40:09.602Z",
        "dateReserved": "2021-11-16T00:00:00.000Z",
        "dateUpdated": "2024-10-08T14:24:15.786Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-43942 (GCVE-0-2021-43942)

    Vulnerability from nvd – Published: 2022-01-04 02:40 – Updated: 2024-10-08 14:23
    VLAI
    Summary
    Affected versions of Atlassian Jira Server and Data Center allow remote attackers to inject arbitrary HTML or JavaScript via a Reflected Cross-Site Scripting (XSS) vulnerability in the /rest/collectors/1.0/template/custom endpoint. To exploit this issue, the attacker must trick a user into visiting a malicious website. The affected versions are before version 8.13.15, and from version 8.14.0 before 8.20.3.
    Severity
    No CVSS data available.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • Reflected Cross-Site Scripting (RXSS)
    Assigner
    References
    Impacted products
    Vendor Product Version
    Atlassian Jira Server Affected: unspecified , < 8.13.15 (custom)
    Affected: 8.14.0 , < unspecified (custom)
    Affected: unspecified , < 8.20.3 (custom)
    Create a notification for this product.
    Atlassian Jira Data Center Affected: unspecified , < 8.13.15 (custom)
    Affected: 8.14.0 , < unspecified (custom)
    Affected: unspecified , < 8.20.3 (custom)
    Create a notification for this product.
    Date Public
    2021-12-30 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T04:10:17.127Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://jira.atlassian.com/browse/JRASERVER-73068"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2021-43942",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-10-08T14:22:39.399202Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-10-08T14:23:31.116Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Jira Server",
              "vendor": "Atlassian",
              "versions": [
                {
                  "lessThan": "8.13.15",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThan": "unspecified",
                  "status": "affected",
                  "version": "8.14.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "8.20.3",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "Jira Data Center",
              "vendor": "Atlassian",
              "versions": [
                {
                  "lessThan": "8.13.15",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThan": "unspecified",
                  "status": "affected",
                  "version": "8.14.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "8.20.3",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2021-12-30T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Affected versions of Atlassian Jira Server and Data Center allow remote attackers to inject arbitrary HTML or JavaScript via a Reflected Cross-Site Scripting (XSS) vulnerability in the /rest/collectors/1.0/template/custom endpoint. To exploit this issue, the attacker must trick a user into visiting a malicious website. The affected versions are before version 8.13.15, and from version 8.14.0 before 8.20.3."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Reflected Cross-Site Scripting (RXSS)",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-01-04T02:40:09.000Z",
            "orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
            "shortName": "atlassian"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://jira.atlassian.com/browse/JRASERVER-73068"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@atlassian.com",
              "DATE_PUBLIC": "2021-12-30T00:00:00",
              "ID": "CVE-2021-43942",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Jira Server",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.13.15"
                              },
                              {
                                "version_affected": "\u003e=",
                                "version_value": "8.14.0"
                              },
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.20.3"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "Jira Data Center",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.13.15"
                              },
                              {
                                "version_affected": "\u003e=",
                                "version_value": "8.14.0"
                              },
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.20.3"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Atlassian"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Affected versions of Atlassian Jira Server and Data Center allow remote attackers to inject arbitrary HTML or JavaScript via a Reflected Cross-Site Scripting (XSS) vulnerability in the /rest/collectors/1.0/template/custom endpoint. To exploit this issue, the attacker must trick a user into visiting a malicious website. The affected versions are before version 8.13.15, and from version 8.14.0 before 8.20.3."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Reflected Cross-Site Scripting (RXSS)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://jira.atlassian.com/browse/JRASERVER-73068",
                  "refsource": "MISC",
                  "url": "https://jira.atlassian.com/browse/JRASERVER-73068"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
        "assignerShortName": "atlassian",
        "cveId": "CVE-2021-43942",
        "datePublished": "2022-01-04T02:40:09.824Z",
        "dateReserved": "2021-11-16T00:00:00.000Z",
        "dateUpdated": "2024-10-08T14:23:31.116Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-41311 (GCVE-0-2021-41311)

    Vulnerability from nvd – Published: 2021-12-08 03:35 – Updated: 2024-10-10 14:00
    VLAI
    Summary
    Affected versions of Atlassian Jira Server and Data Center allow attackers with access to an administrator account that has had its access revoked to modify projects' Users & Roles settings, via a Broken Authentication vulnerability in the /plugins/servlet/project-config/PROJECT/roles endpoint. The affected versions are before version 8.19.1.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-287 - Broken Authentication (CWE-287)
    Assigner
    References
    Impacted products
    Vendor Product Version
    Atlassian Jira Server Affected: unspecified , < 8.19.1 (custom)
    Create a notification for this product.
    Atlassian Jira Data Center Affected: unspecified , < 8.19.1 (custom)
    Create a notification for this product.
    atlassian jira_server Affected: 0 , < 8.19.1 (custom)
        cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*
    Create a notification for this product.
    atlassian jira_data_center Affected: 0 , < 8.19.1 (custom)
        cpe:2.3:a:atlassian:jira_data_center:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Date Public
    2021-10-26 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T03:08:31.998Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://jira.atlassian.com/browse/JRASERVER-72802"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "jira_server",
                "vendor": "atlassian",
                "versions": [
                  {
                    "lessThan": "8.19.1",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:a:atlassian:jira_data_center:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "jira_data_center",
                "vendor": "atlassian",
                "versions": [
                  {
                    "lessThan": "8.19.1",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 7.5,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "NONE",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2021-41311",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-10-10T13:57:21.858196Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-10-10T14:00:43.454Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Jira Server",
              "vendor": "Atlassian",
              "versions": [
                {
                  "lessThan": "8.19.1",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "Jira Data Center",
              "vendor": "Atlassian",
              "versions": [
                {
                  "lessThan": "8.19.1",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2021-10-26T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Affected versions of Atlassian Jira Server and Data Center allow attackers with access to an administrator account that has had its access revoked to modify projects\u0027 Users \u0026 Roles settings, via a Broken Authentication vulnerability in the /plugins/servlet/project-config/PROJECT/roles endpoint. The affected versions are before version 8.19.1."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-287",
                  "description": "Broken Authentication (CWE-287)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-12-08T03:35:11.000Z",
            "orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
            "shortName": "atlassian"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://jira.atlassian.com/browse/JRASERVER-72802"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@atlassian.com",
              "DATE_PUBLIC": "2021-10-26T00:00:00",
              "ID": "CVE-2021-41311",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Jira Server",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.19.1"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "Jira Data Center",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.19.1"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Atlassian"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Affected versions of Atlassian Jira Server and Data Center allow attackers with access to an administrator account that has had its access revoked to modify projects\u0027 Users \u0026 Roles settings, via a Broken Authentication vulnerability in the /plugins/servlet/project-config/PROJECT/roles endpoint. The affected versions are before version 8.19.1."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Broken Authentication (CWE-287)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://jira.atlassian.com/browse/JRASERVER-72802",
                  "refsource": "MISC",
                  "url": "https://jira.atlassian.com/browse/JRASERVER-72802"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
        "assignerShortName": "atlassian",
        "cveId": "CVE-2021-41311",
        "datePublished": "2021-12-08T03:35:11.838Z",
        "dateReserved": "2021-09-16T00:00:00.000Z",
        "dateUpdated": "2024-10-10T14:00:43.454Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-41309 (GCVE-0-2021-41309)

    Vulnerability from nvd – Published: 2021-12-08 03:35 – Updated: 2024-10-10 13:52
    VLAI
    Summary
    Affected versions of Atlassian Jira Server and Data Center allow a user who has had their Jira Service Management access revoked to export audit logs of another user's Jira Service Management project via a Broken Authentication vulnerability in the /plugins/servlet/audit/resource endpoint. The affected versions of Jira Server and Data Center are before version 8.19.1.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-287 - Broken Authentication (CWE-287)
    Assigner
    References
    Impacted products
    Vendor Product Version
    Atlassian Jira Server Affected: unspecified , < 8.19.1 (custom)
    Create a notification for this product.
    Atlassian Jira Data Center Affected: unspecified , < 8.19.1 (custom)
    Create a notification for this product.
    atlassian jira_server Affected: 0 , < 8.19.1 (custom)
        cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*
    Create a notification for this product.
    atlassian jira_data_center Affected: 0 , < 8.19.1 (custom)
        cpe:2.3:a:atlassian:jira_data_center:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Date Public
    2021-10-27 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T03:08:31.877Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://jira.atlassian.com/browse/JRASERVER-72803"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "jira_server",
                "vendor": "atlassian",
                "versions": [
                  {
                    "lessThan": "8.19.1",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:a:atlassian:jira_data_center:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "jira_data_center",
                "vendor": "atlassian",
                "versions": [
                  {
                    "lessThan": "8.19.1",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 5.3,
                  "baseSeverity": "MEDIUM",
                  "confidentialityImpact": "LOW",
                  "integrityImpact": "NONE",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2021-41309",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-10-10T13:48:08.586317Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-10-10T13:52:47.289Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Jira Server",
              "vendor": "Atlassian",
              "versions": [
                {
                  "lessThan": "8.19.1",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "Jira Data Center",
              "vendor": "Atlassian",
              "versions": [
                {
                  "lessThan": "8.19.1",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2021-10-27T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Affected versions of Atlassian Jira Server and Data Center allow a user who has had their Jira Service Management access revoked to export audit logs of another user\u0027s Jira Service Management project via a Broken Authentication vulnerability in the /plugins/servlet/audit/resource endpoint. The affected versions of Jira Server and Data Center are before version 8.19.1."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-287",
                  "description": "Broken Authentication (CWE-287)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-12-08T03:35:10.000Z",
            "orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
            "shortName": "atlassian"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://jira.atlassian.com/browse/JRASERVER-72803"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@atlassian.com",
              "DATE_PUBLIC": "2021-10-27T00:00:00",
              "ID": "CVE-2021-41309",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Jira Server",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.19.1"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "Jira Data Center",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.19.1"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Atlassian"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Affected versions of Atlassian Jira Server and Data Center allow a user who has had their Jira Service Management access revoked to export audit logs of another user\u0027s Jira Service Management project via a Broken Authentication vulnerability in the /plugins/servlet/audit/resource endpoint. The affected versions of Jira Server and Data Center are before version 8.19.1."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Broken Authentication (CWE-287)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://jira.atlassian.com/browse/JRASERVER-72803",
                  "refsource": "MISC",
                  "url": "https://jira.atlassian.com/browse/JRASERVER-72803"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
        "assignerShortName": "atlassian",
        "cveId": "CVE-2021-41309",
        "datePublished": "2021-12-08T03:35:10.422Z",
        "dateReserved": "2021-09-16T00:00:00.000Z",
        "dateUpdated": "2024-10-10T13:52:47.289Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-41312 (GCVE-0-2021-41312)

    Vulnerability from nvd – Published: 2021-11-03 03:50 – Updated: 2024-10-10 13:45
    VLAI
    Summary
    Affected versions of Atlassian Jira Server and Data Center allow a remote attacker who has had their access revoked from Jira Service Management to enable and disable Issue Collectors on Jira Service Management projects via an Improper Authentication vulnerability in the /secure/ViewCollectors endpoint. The affected versions are before version 8.19.1.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-287 - Improper Authentication (CWE-287)
    Assigner
    References
    Impacted products
    Vendor Product Version
    Atlassian Jira Server Affected: unspecified , < 8.19.1 (custom)
    Create a notification for this product.
    Atlassian Jira Data Center Affected: unspecified , < 8.19.1 (custom)
    Create a notification for this product.
    atlassian jira_server Affected: 0 , < 8.19.1 (custom)
        cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*
    Create a notification for this product.
    atlassian jira_data_center Affected: 0 , < 8.19.1 (custom)
        cpe:2.3:a:atlassian:jira_data_center:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Date Public
    2021-10-26 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T03:08:31.935Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://jira.atlassian.com/browse/JRASERVER-72801"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "jira_server",
                "vendor": "atlassian",
                "versions": [
                  {
                    "lessThan": "8.19.1",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:a:atlassian:jira_data_center:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "jira_data_center",
                "vendor": "atlassian",
                "versions": [
                  {
                    "lessThan": "8.19.1",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 7.5,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "NONE",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2021-41312",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-10-10T13:44:04.544542Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-10-10T13:45:52.185Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Jira Server",
              "vendor": "Atlassian",
              "versions": [
                {
                  "lessThan": "8.19.1",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "Jira Data Center",
              "vendor": "Atlassian",
              "versions": [
                {
                  "lessThan": "8.19.1",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2021-10-26T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Affected versions of Atlassian Jira Server and Data Center allow a remote attacker who has had their access revoked from Jira Service Management to enable and disable Issue Collectors on Jira Service Management projects via an Improper Authentication vulnerability in the /secure/ViewCollectors endpoint. The affected versions are before version 8.19.1."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-287",
                  "description": "Improper Authentication (CWE-287)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-11-03T03:50:33.000Z",
            "orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
            "shortName": "atlassian"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://jira.atlassian.com/browse/JRASERVER-72801"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@atlassian.com",
              "DATE_PUBLIC": "2021-10-26T00:00:00",
              "ID": "CVE-2021-41312",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Jira Server",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.19.1"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "Jira Data Center",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.19.1"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Atlassian"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Affected versions of Atlassian Jira Server and Data Center allow a remote attacker who has had their access revoked from Jira Service Management to enable and disable Issue Collectors on Jira Service Management projects via an Improper Authentication vulnerability in the /secure/ViewCollectors endpoint. The affected versions are before version 8.19.1."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Improper Authentication (CWE-287)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://jira.atlassian.com/browse/JRASERVER-72801",
                  "refsource": "MISC",
                  "url": "https://jira.atlassian.com/browse/JRASERVER-72801"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
        "assignerShortName": "atlassian",
        "cveId": "CVE-2021-41312",
        "datePublished": "2021-11-03T03:50:33.432Z",
        "dateReserved": "2021-09-16T00:00:00.000Z",
        "dateUpdated": "2024-10-10T13:45:52.185Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-41310 (GCVE-0-2021-41310)

    Vulnerability from nvd – Published: 2021-11-01 22:55 – Updated: 2024-10-09 20:25
    VLAI
    Summary
    Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability in the Associated Projects feature (/secure/admin/AssociatedProjectsForCustomField.jspa). The affected versions are before version 8.5.19, from version 8.6.0 before 8.13.11, and from version 8.14.0 before 8.19.1.
    Severity
    No CVSS data available.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • Stored Cross-Site Scripting (SXSS)
    Assigner
    References
    Impacted products
    Vendor Product Version
    Atlassian Jira Server Affected: unspecified , < 8.5.19 (custom)
    Affected: 8.6.0 , < unspecified (custom)
    Affected: unspecified , < 8.13.11 (custom)
    Affected: 8.14.0 , < unspecified (custom)
    Affected: unspecified , < 8.19.1 (custom)
    Create a notification for this product.
    Atlassian Jira Data Center Affected: unspecified , < 8.5.19 (custom)
    Affected: 8.6.0 , < unspecified (custom)
    Affected: unspecified , < 8.13.11 (custom)
    Affected: 8.14.0 , < unspecified (custom)
    Affected: unspecified , < 8.19.1 (custom)
    Create a notification for this product.
    Date Public
    2021-10-26 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T03:08:31.865Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://jira.atlassian.com/browse/JRASERVER-72800"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2021-41310",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-10-09T20:25:21.259049Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-10-09T20:25:50.011Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Jira Server",
              "vendor": "Atlassian",
              "versions": [
                {
                  "lessThan": "8.5.19",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThan": "unspecified",
                  "status": "affected",
                  "version": "8.6.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "8.13.11",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThan": "unspecified",
                  "status": "affected",
                  "version": "8.14.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "8.19.1",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "Jira Data Center",
              "vendor": "Atlassian",
              "versions": [
                {
                  "lessThan": "8.5.19",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThan": "unspecified",
                  "status": "affected",
                  "version": "8.6.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "8.13.11",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThan": "unspecified",
                  "status": "affected",
                  "version": "8.14.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "8.19.1",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2021-10-26T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability in the Associated Projects feature (/secure/admin/AssociatedProjectsForCustomField.jspa). The affected versions are before version 8.5.19, from version 8.6.0 before 8.13.11, and from version 8.14.0 before 8.19.1."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Stored Cross-Site Scripting (SXSS)",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-11-01T22:55:09.000Z",
            "orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
            "shortName": "atlassian"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://jira.atlassian.com/browse/JRASERVER-72800"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@atlassian.com",
              "DATE_PUBLIC": "2021-10-26T00:00:00",
              "ID": "CVE-2021-41310",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Jira Server",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.5.19"
                              },
                              {
                                "version_affected": "\u003e=",
                                "version_value": "8.6.0"
                              },
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.13.11"
                              },
                              {
                                "version_affected": "\u003e=",
                                "version_value": "8.14.0"
                              },
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.19.1"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "Jira Data Center",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.5.19"
                              },
                              {
                                "version_affected": "\u003e=",
                                "version_value": "8.6.0"
                              },
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.13.11"
                              },
                              {
                                "version_affected": "\u003e=",
                                "version_value": "8.14.0"
                              },
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.19.1"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Atlassian"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability in the Associated Projects feature (/secure/admin/AssociatedProjectsForCustomField.jspa). The affected versions are before version 8.5.19, from version 8.6.0 before 8.13.11, and from version 8.14.0 before 8.19.1."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Stored Cross-Site Scripting (SXSS)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://jira.atlassian.com/browse/JRASERVER-72800",
                  "refsource": "MISC",
                  "url": "https://jira.atlassian.com/browse/JRASERVER-72800"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
        "assignerShortName": "atlassian",
        "cveId": "CVE-2021-41310",
        "datePublished": "2021-11-01T22:55:09.292Z",
        "dateReserved": "2021-09-16T00:00:00.000Z",
        "dateUpdated": "2024-10-09T20:25:50.011Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2019-15002 (GCVE-0-2019-15002)

    Vulnerability from cvelistv5 – Published: 2025-02-11 17:24 – Updated: 2025-03-13 14:15
    VLAI
    Summary
    An exploitable CSRF vulnerability exists in Atlassian Jira, from versions 7.6.4 to 8.1.0. The login form doesn’t require a CSRF token. As a result, an attacker can log a user into the system under an unexpected account.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • Cross-Site Request Forgery
    • CWE-352 - Cross-Site Request Forgery (CSRF)
    Assigner
    References
    Impacted products
    Vendor Product Version
    Atlassian Jira Server Unaffected: unspecified , < 7.6.4 (custom)
    Affected: unspecified , < 8.1.0 (custom)
    Create a notification for this product.
    Atlassian Jira Data Center Unaffected: unspecified , < 7.6.4 (custom)
    Affected: unspecified , < 8.1.0 (custom)
    Create a notification for this product.
    Date Public
    2019-09-16 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 4.3,
                  "baseSeverity": "MEDIUM",
                  "confidentialityImpact": "LOW",
                  "integrityImpact": "NONE",
                  "privilegesRequired": "LOW",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2019-15002",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-02-28T20:49:41.973789Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-352",
                    "description": "CWE-352 Cross-Site Request Forgery (CSRF)",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-03-13T14:15:39.823Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Jira Server",
              "vendor": "Atlassian",
              "versions": [
                {
                  "lessThan": "7.6.4",
                  "status": "unaffected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThan": "8.1.0",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "Jira Data Center",
              "vendor": "Atlassian",
              "versions": [
                {
                  "lessThan": "7.6.4",
                  "status": "unaffected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThan": "8.1.0",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2019-09-16T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "An exploitable CSRF vulnerability exists in Atlassian Jira, from versions 7.6.4 to 8.1.0. The login form doesn\u2019t require a CSRF token. As a result, an attacker can log a user into the system under an unexpected account."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Cross-Site Request Forgery",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-02-11T17:24:15.763Z",
            "orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
            "shortName": "atlassian"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://jira.atlassian.com/browse/JRASERVER-67979"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
        "assignerShortName": "atlassian",
        "cveId": "CVE-2019-15002",
        "datePublished": "2025-02-11T17:24:15.763Z",
        "dateReserved": "2019-08-13T00:00:00.000Z",
        "dateUpdated": "2025-03-13T14:15:39.823Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2022-36801 (GCVE-0-2022-36801)

    Vulnerability from cvelistv5 – Published: 2022-08-10 02:20 – Updated: 2024-10-29 15:15
    VLAI
    Summary
    Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to inject arbitrary HTML or JavaScript via a Reflected Cross-Site Scripting (RXSS) vulnerability in the TeamManagement.jspa endpoint. The affected versions are before version 8.20.8.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • Reflected Cross-Site Scripting (RXSS)
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    References
    Impacted products
    Vendor Product Version
    Atlassian Jira Server Affected: unspecified , < 8.20.8 (custom)
    Create a notification for this product.
    Atlassian Jira Data Center Affected: unspecified , < 8.20.8 (custom)
    Create a notification for this product.
    Date Public
    2022-08-09 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T10:14:28.388Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://jira.atlassian.com/browse/JRASERVER-73740"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 6.1,
                  "baseSeverity": "MEDIUM",
                  "confidentialityImpact": "LOW",
                  "integrityImpact": "LOW",
                  "privilegesRequired": "NONE",
                  "scope": "CHANGED",
                  "userInteraction": "REQUIRED",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2022-36801",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-10-02T14:13:24.699295Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-79",
                    "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-10-29T15:15:10.791Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Jira Server",
              "vendor": "Atlassian",
              "versions": [
                {
                  "lessThan": "8.20.8",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "Jira Data Center",
              "vendor": "Atlassian",
              "versions": [
                {
                  "lessThan": "8.20.8",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2022-08-09T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to inject arbitrary HTML or JavaScript via a Reflected Cross-Site Scripting (RXSS) vulnerability in the TeamManagement.jspa endpoint. The affected versions are before version 8.20.8."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Reflected Cross-Site Scripting (RXSS)",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-08-10T02:20:09.000Z",
            "orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
            "shortName": "atlassian"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://jira.atlassian.com/browse/JRASERVER-73740"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@atlassian.com",
              "DATE_PUBLIC": "2022-08-09T00:00:00",
              "ID": "CVE-2022-36801",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Jira Server",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.20.8"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "Jira Data Center",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.20.8"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Atlassian"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to inject arbitrary HTML or JavaScript via a Reflected Cross-Site Scripting (RXSS) vulnerability in the TeamManagement.jspa endpoint. The affected versions are before version 8.20.8."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Reflected Cross-Site Scripting (RXSS)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://jira.atlassian.com/browse/JRASERVER-73740",
                  "refsource": "MISC",
                  "url": "https://jira.atlassian.com/browse/JRASERVER-73740"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
        "assignerShortName": "atlassian",
        "cveId": "CVE-2022-36801",
        "datePublished": "2022-08-10T02:20:09.601Z",
        "dateReserved": "2022-07-26T00:00:00.000Z",
        "dateUpdated": "2024-10-29T15:15:10.791Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2022-36799 (GCVE-0-2022-36799)

    Vulnerability from cvelistv5 – Published: 2022-08-01 01:15 – Updated: 2024-10-03 18:44
    VLAI
    Summary
    This issue exists to document that a security improvement in the way that Jira Server and Data Center use templates has been implemented. Affected versions of Atlassian Jira Server and Data Center allowed remote attackers with system administrator permissions to execute arbitrary code via Template Injection leading to Remote Code Execution (RCE) in the Email Templates feature. In this case the security improvement was to protect against using the XStream library to be able to execute arbitrary code in velocity templates. The affected versions are before version 8.13.19, from version 8.14.0 before 8.20.7, and from version 8.21.0 before 8.22.1.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • Remote Code Execution (RCE)
    • CWE-94 - Improper Control of Generation of Code ('Code Injection')
    Assigner
    References
    Impacted products
    Vendor Product Version
    Atlassian Jira Server Affected: unspecified , < 8.13.19 (custom)
    Affected: 8.14.0 , < unspecified (custom)
    Affected: unspecified , < 8.20.7 (custom)
    Affected: 8.21.0 , < unspecified (custom)
    Affected: unspecified , < 8.22.1 (custom)
    Create a notification for this product.
    Atlassian Jira Data Center Affected: unspecified , < 8.13.19 (custom)
    Affected: 8.14.0 , < unspecified (custom)
    Affected: unspecified , < 8.20.7 (custom)
    Affected: 8.21.0 , < unspecified (custom)
    Affected: unspecified , < 8.22.1 (custom)
    Create a notification for this product.
    atlassian jira_server Affected: 0 , < 8.13.19 (custom)
    Affected: 8.14.0 , < 8.20.7 (custom)
    Affected: 8.21.0 , < 8.22.1 (custom)
        cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*
    Create a notification for this product.
    atlassian jira_data_center Affected: 0 , < 8.13.19 (custom)
    Affected: 8.14.0 , < 8.20.7 (custom)
    Affected: 8.21.0 , < 8.22.1 (custom)
        cpe:2.3:a:atlassian:jira_data_center:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Date Public
    2022-07-29 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T10:14:28.495Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://jira.atlassian.com/browse/JRASERVER-73582"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "jira_server",
                "vendor": "atlassian",
                "versions": [
                  {
                    "lessThan": "8.13.19",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  },
                  {
                    "lessThan": "8.20.7",
                    "status": "affected",
                    "version": "8.14.0",
                    "versionType": "custom"
                  },
                  {
                    "lessThan": "8.22.1",
                    "status": "affected",
                    "version": "8.21.0",
                    "versionType": "custom"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:a:atlassian:jira_data_center:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "jira_data_center",
                "vendor": "atlassian",
                "versions": [
                  {
                    "lessThan": "8.13.19",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  },
                  {
                    "lessThan": "8.20.7",
                    "status": "affected",
                    "version": "8.14.0",
                    "versionType": "custom"
                  },
                  {
                    "lessThan": "8.22.1",
                    "status": "affected",
                    "version": "8.21.0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "HIGH",
                  "baseScore": 7.2,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "HIGH",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2022-36799",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-10-03T18:37:25.567188Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-94",
                    "description": "CWE-94 Improper Control of Generation of Code (\u0027Code Injection\u0027)",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-10-03T18:44:09.152Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Jira Server",
              "vendor": "Atlassian",
              "versions": [
                {
                  "lessThan": "8.13.19",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThan": "unspecified",
                  "status": "affected",
                  "version": "8.14.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "8.20.7",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThan": "unspecified",
                  "status": "affected",
                  "version": "8.21.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "8.22.1",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "Jira Data Center",
              "vendor": "Atlassian",
              "versions": [
                {
                  "lessThan": "8.13.19",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThan": "unspecified",
                  "status": "affected",
                  "version": "8.14.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "8.20.7",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThan": "unspecified",
                  "status": "affected",
                  "version": "8.21.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "8.22.1",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2022-07-29T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "This issue exists to document that a security improvement in the way that Jira Server and Data Center use templates has been implemented. Affected versions of Atlassian Jira Server and Data Center allowed remote attackers with system administrator permissions to execute arbitrary code via Template Injection leading to Remote Code Execution (RCE) in the Email Templates feature. In this case the security improvement was to protect against using the XStream library to be able to execute arbitrary code in velocity templates. The affected versions are before version 8.13.19, from version 8.14.0 before 8.20.7, and from version 8.21.0 before 8.22.1."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Remote Code Execution (RCE)",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-08-01T01:15:12.000Z",
            "orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
            "shortName": "atlassian"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://jira.atlassian.com/browse/JRASERVER-73582"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@atlassian.com",
              "DATE_PUBLIC": "2022-07-29T00:00:00",
              "ID": "CVE-2022-36799",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Jira Server",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.13.19"
                              },
                              {
                                "version_affected": "\u003e=",
                                "version_value": "8.14.0"
                              },
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.20.7"
                              },
                              {
                                "version_affected": "\u003e=",
                                "version_value": "8.21.0"
                              },
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.22.1"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "Jira Data Center",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.13.19"
                              },
                              {
                                "version_affected": "\u003e=",
                                "version_value": "8.14.0"
                              },
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.20.7"
                              },
                              {
                                "version_affected": "\u003e=",
                                "version_value": "8.21.0"
                              },
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.22.1"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Atlassian"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "This issue exists to document that a security improvement in the way that Jira Server and Data Center use templates has been implemented. Affected versions of Atlassian Jira Server and Data Center allowed remote attackers with system administrator permissions to execute arbitrary code via Template Injection leading to Remote Code Execution (RCE) in the Email Templates feature. In this case the security improvement was to protect against using the XStream library to be able to execute arbitrary code in velocity templates. The affected versions are before version 8.13.19, from version 8.14.0 before 8.20.7, and from version 8.21.0 before 8.22.1."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Remote Code Execution (RCE)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://jira.atlassian.com/browse/JRASERVER-73582",
                  "refsource": "MISC",
                  "url": "https://jira.atlassian.com/browse/JRASERVER-73582"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
        "assignerShortName": "atlassian",
        "cveId": "CVE-2022-36799",
        "datePublished": "2022-08-01T01:15:12.567Z",
        "dateReserved": "2022-07-26T00:00:00.000Z",
        "dateUpdated": "2024-10-03T18:44:09.152Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-43944 (GCVE-0-2021-43944)

    Vulnerability from cvelistv5 – Published: 2022-03-08 02:00 – Updated: 2024-10-04 18:45
    VLAI
    Summary
    This issue exists to document that a security improvement in the way that Jira Server and Data Center use templates has been implemented. Affected versions of Atlassian Jira Server and Data Center allowed remote attackers with system administrator permissions to execute arbitrary code via Template Injection leading to Remote Code Execution (RCE) in the Email Templates feature. The affected versions are before version 8.13.15, and from version 8.14.0 before 8.20.3.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • Remote Code Execution (RCE)
    • CWE-94 - Improper Control of Generation of Code ('Code Injection')
    Assigner
    References
    Impacted products
    Vendor Product Version
    Atlassian Jira Server Affected: unspecified , < 8.13.15 (custom)
    Affected: 8.14.0 , < unspecified (custom)
    Affected: unspecified , < 8.20.3 (custom)
    Create a notification for this product.
    Atlassian Jira Data Center Affected: unspecified , < 8.13.15 (custom)
    Affected: 8.14.0 , < unspecified (custom)
    Affected: unspecified , < 8.20.3 (custom)
    Create a notification for this product.
    atlassian jira_data_center Affected: 0 , < 8.13.15 (custom)
    Affected: 8.14.0 , < 8.20.3 (custom)
        cpe:2.3:a:atlassian:jira_data_center:*:*:*:*:*:*:*:*
    Create a notification for this product.
    atlassian jira_server Affected: 0 , < 8.13.15 (custom)
    Affected: 8.14.0 , < 8.20.3 (custom)
        cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Date Public
    2021-12-31 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T04:10:17.165Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://jira.atlassian.com/browse/JRASERVER-73072"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:atlassian:jira_data_center:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "jira_data_center",
                "vendor": "atlassian",
                "versions": [
                  {
                    "lessThan": "8.13.15",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  },
                  {
                    "lessThan": "8.20.3",
                    "status": "affected",
                    "version": "8.14.0",
                    "versionType": "custom"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "jira_server",
                "vendor": "atlassian",
                "versions": [
                  {
                    "lessThan": "8.13.15",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  },
                  {
                    "lessThan": "8.20.3",
                    "status": "affected",
                    "version": "8.14.0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "HIGH",
                  "baseScore": 7.2,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "HIGH",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2021-43944",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-10-04T18:13:12.369938Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-94",
                    "description": "CWE-94 Improper Control of Generation of Code (\u0027Code Injection\u0027)",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-10-04T18:45:21.133Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Jira Server",
              "vendor": "Atlassian",
              "versions": [
                {
                  "lessThan": "8.13.15",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThan": "unspecified",
                  "status": "affected",
                  "version": "8.14.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "8.20.3",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "Jira Data Center",
              "vendor": "Atlassian",
              "versions": [
                {
                  "lessThan": "8.13.15",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThan": "unspecified",
                  "status": "affected",
                  "version": "8.14.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "8.20.3",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2021-12-31T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "This issue exists to document that a security improvement in the way that Jira Server and Data Center use templates has been implemented. Affected versions of Atlassian Jira Server and Data Center allowed remote attackers with system administrator permissions to execute arbitrary code via Template Injection leading to Remote Code Execution (RCE) in the Email Templates feature. The affected versions are before version 8.13.15, and from version 8.14.0 before 8.20.3."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Remote Code Execution (RCE)",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-03-08T02:00:13.000Z",
            "orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
            "shortName": "atlassian"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://jira.atlassian.com/browse/JRASERVER-73072"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@atlassian.com",
              "DATE_PUBLIC": "2021-12-31T00:00:00",
              "ID": "CVE-2021-43944",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Jira Server",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.13.15"
                              },
                              {
                                "version_affected": "\u003e=",
                                "version_value": "8.14.0"
                              },
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.20.3"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "Jira Data Center",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.13.15"
                              },
                              {
                                "version_affected": "\u003e=",
                                "version_value": "8.14.0"
                              },
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.20.3"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Atlassian"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "This issue exists to document that a security improvement in the way that Jira Server and Data Center use templates has been implemented. Affected versions of Atlassian Jira Server and Data Center allowed remote attackers with system administrator permissions to execute arbitrary code via Template Injection leading to Remote Code Execution (RCE) in the Email Templates feature. The affected versions are before version 8.13.15, and from version 8.14.0 before 8.20.3."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Remote Code Execution (RCE)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://jira.atlassian.com/browse/JRASERVER-73072",
                  "refsource": "MISC",
                  "url": "https://jira.atlassian.com/browse/JRASERVER-73072"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
        "assignerShortName": "atlassian",
        "cveId": "CVE-2021-43944",
        "datePublished": "2022-03-08T02:00:13.209Z",
        "dateReserved": "2021-11-16T00:00:00.000Z",
        "dateUpdated": "2024-10-04T18:45:21.133Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-43945 (GCVE-0-2021-43945)

    Vulnerability from cvelistv5 – Published: 2022-02-28 00:20 – Updated: 2024-10-04 18:12
    VLAI
    Summary
    Affected versions of Atlassian Jira Server and Data Center allow remote attackers with Roadmaps Administrator permissions to inject arbitrary HTML or JavaScript via a Stored Cross-Site Scripting (SXSS) vulnerability in the /rest/jpo/1.0/hierarchyConfiguration endpoint. The affected versions are before version 8.20.3.
    Severity
    No CVSS data available.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • Stored Cross-Site Scripting (SXSS)
    Assigner
    References
    Impacted products
    Vendor Product Version
    Atlassian Jira Server Affected: unspecified , < 8.20.3 (custom)
    Create a notification for this product.
    Atlassian Jira Data Center Affected: unspecified , < 8.20.3 (custom)
    Create a notification for this product.
    Date Public
    2021-12-31 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T04:10:17.223Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://jira.atlassian.com/browse/JRASERVER-73069"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2021-43945",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-10-04T18:12:39.802413Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-10-04T18:12:49.031Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Jira Server",
              "vendor": "Atlassian",
              "versions": [
                {
                  "lessThan": "8.20.3",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "Jira Data Center",
              "vendor": "Atlassian",
              "versions": [
                {
                  "lessThan": "8.20.3",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2021-12-31T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Affected versions of Atlassian Jira Server and Data Center allow remote attackers with Roadmaps Administrator permissions to inject arbitrary HTML or JavaScript via a Stored Cross-Site Scripting (SXSS) vulnerability in the /rest/jpo/1.0/hierarchyConfiguration endpoint. The affected versions are before version 8.20.3."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Stored Cross-Site Scripting (SXSS)",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-02-28T00:20:09.000Z",
            "orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
            "shortName": "atlassian"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://jira.atlassian.com/browse/JRASERVER-73069"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@atlassian.com",
              "DATE_PUBLIC": "2021-12-31T00:00:00",
              "ID": "CVE-2021-43945",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Jira Server",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.20.3"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "Jira Data Center",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.20.3"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Atlassian"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Affected versions of Atlassian Jira Server and Data Center allow remote attackers with Roadmaps Administrator permissions to inject arbitrary HTML or JavaScript via a Stored Cross-Site Scripting (SXSS) vulnerability in the /rest/jpo/1.0/hierarchyConfiguration endpoint. The affected versions are before version 8.20.3."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Stored Cross-Site Scripting (SXSS)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://jira.atlassian.com/browse/JRASERVER-73069",
                  "refsource": "MISC",
                  "url": "https://jira.atlassian.com/browse/JRASERVER-73069"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
        "assignerShortName": "atlassian",
        "cveId": "CVE-2021-43945",
        "datePublished": "2022-02-28T00:20:09.118Z",
        "dateReserved": "2021-11-16T00:00:00.000Z",
        "dateUpdated": "2024-10-04T18:12:49.031Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-43941 (GCVE-0-2021-43941)

    Vulnerability from cvelistv5 – Published: 2022-02-15 03:30 – Updated: 2024-10-08 17:37
    VLAI
    Summary
    Affected versions of Atlassian Jira Server and Data Center allow remote attackers to modify several resources (including CsvFieldMappingsPage.jspa and ImporterValueMappingsPage.jspa) via a Cross-Site Request Forgery (CSRF) vulnerability in the jira-importers-plugin. The affected versions are before version 8.13.15, and from version 8.14.0 before 8.20.3.
    Severity
    No CVSS data available.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • Cross Site Request Forgery (CSRF)
    Assigner
    References
    Impacted products
    Vendor Product Version
    Atlassian Jira Server Affected: unspecified , < 8.13.15 (custom)
    Affected: 8.14.0 , < unspecified (custom)
    Affected: unspecified , < 8.20.3 (custom)
    Create a notification for this product.
    Atlassian Jira Data Center Affected: unspecified , < 8.13.15 (custom)
    Affected: 8.14.0 , < unspecified (custom)
    Affected: unspecified , < 8.20.3 (custom)
    Create a notification for this product.
    Date Public
    2021-12-28 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T04:10:17.147Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://jira.atlassian.com/browse/JRASERVER-73073"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2021-43941",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-10-08T17:37:11.606863Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-10-08T17:37:25.273Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Jira Server",
              "vendor": "Atlassian",
              "versions": [
                {
                  "lessThan": "8.13.15",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThan": "unspecified",
                  "status": "affected",
                  "version": "8.14.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "8.20.3",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "Jira Data Center",
              "vendor": "Atlassian",
              "versions": [
                {
                  "lessThan": "8.13.15",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThan": "unspecified",
                  "status": "affected",
                  "version": "8.14.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "8.20.3",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2021-12-28T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Affected versions of Atlassian Jira Server and Data Center allow remote attackers to modify several resources (including CsvFieldMappingsPage.jspa and ImporterValueMappingsPage.jspa) via a Cross-Site Request Forgery (CSRF) vulnerability in the jira-importers-plugin. The affected versions are before version 8.13.15, and from version 8.14.0 before 8.20.3."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Cross Site Request Forgery (CSRF)",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-02-15T03:30:09.000Z",
            "orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
            "shortName": "atlassian"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://jira.atlassian.com/browse/JRASERVER-73073"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@atlassian.com",
              "DATE_PUBLIC": "2021-12-28T00:00:00",
              "ID": "CVE-2021-43941",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Jira Server",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.13.15"
                              },
                              {
                                "version_affected": "\u003e=",
                                "version_value": "8.14.0"
                              },
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.20.3"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "Jira Data Center",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.13.15"
                              },
                              {
                                "version_affected": "\u003e=",
                                "version_value": "8.14.0"
                              },
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.20.3"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Atlassian"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Affected versions of Atlassian Jira Server and Data Center allow remote attackers to modify several resources (including CsvFieldMappingsPage.jspa and ImporterValueMappingsPage.jspa) via a Cross-Site Request Forgery (CSRF) vulnerability in the jira-importers-plugin. The affected versions are before version 8.13.15, and from version 8.14.0 before 8.20.3."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Cross Site Request Forgery (CSRF)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://jira.atlassian.com/browse/JRASERVER-73073",
                  "refsource": "MISC",
                  "url": "https://jira.atlassian.com/browse/JRASERVER-73073"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
        "assignerShortName": "atlassian",
        "cveId": "CVE-2021-43941",
        "datePublished": "2022-02-15T03:30:09.668Z",
        "dateReserved": "2021-11-16T00:00:00.000Z",
        "dateUpdated": "2024-10-08T17:37:25.273Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-43953 (GCVE-0-2021-43953)

    Vulnerability from cvelistv5 – Published: 2022-02-15 02:40 – Updated: 2024-10-08 14:38
    VLAI
    Summary
    Affected versions of Atlassian Jira Server and Data Center allow unauthenticated remote attackers to toggle the Thread Contention and CPU monitoring settings via a Cross-Site Request Forgery (CSRF) vulnerability in the /secure/admin/ViewInstrumentation.jspa endpoint. The affected versions are before version 8.13.16, and from version 8.14.0 before 8.20.5.
    Severity
    No CVSS data available.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • Cross-Site Request Forgery (CSRF)
    Assigner
    References
    Impacted products
    Vendor Product Version
    Atlassian Jira Server Affected: unspecified , < 8.13.16 (custom)
    Affected: next of 8.14.0 , < unspecified (custom)
    Affected: unspecified , < 8.20.5 (custom)
    Create a notification for this product.
    Atlassian Jira Data Center Affected: unspecified , < 8.13.16 (custom)
    Affected: next of 8.14.0 , < unspecified (custom)
    Affected: unspecified , < 8.20.5 (custom)
    Create a notification for this product.
    Date Public
    2022-01-06 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T04:10:16.450Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://jira.atlassian.com/browse/JRASERVER-73170"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2021-43953",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-10-08T14:38:34.132122Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-10-08T14:38:59.629Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Jira Server",
              "vendor": "Atlassian",
              "versions": [
                {
                  "lessThan": "8.13.16",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThan": "unspecified",
                  "status": "affected",
                  "version": "next of 8.14.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "8.20.5",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "Jira Data Center",
              "vendor": "Atlassian",
              "versions": [
                {
                  "lessThan": "8.13.16",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThan": "unspecified",
                  "status": "affected",
                  "version": "next of 8.14.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "8.20.5",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2022-01-06T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Affected versions of Atlassian Jira Server and Data Center allow unauthenticated remote attackers to toggle the Thread Contention and CPU monitoring settings via a Cross-Site Request Forgery (CSRF) vulnerability in the /secure/admin/ViewInstrumentation.jspa endpoint. The affected versions are before version 8.13.16, and from version 8.14.0 before 8.20.5."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Cross-Site Request Forgery (CSRF)",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-03-14T01:45:17.000Z",
            "orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
            "shortName": "atlassian"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://jira.atlassian.com/browse/JRASERVER-73170"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@atlassian.com",
              "DATE_PUBLIC": "2022-01-06T00:00:00",
              "ID": "CVE-2021-43953",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Jira Server",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.13.16"
                              },
                              {
                                "version_affected": "\u003e",
                                "version_value": "8.14.0"
                              },
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.20.5"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "Jira Data Center",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.13.16"
                              },
                              {
                                "version_affected": "\u003e",
                                "version_value": "8.14.0"
                              },
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.20.5"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Atlassian"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Affected versions of Atlassian Jira Server and Data Center allow unauthenticated remote attackers to toggle the Thread Contention and CPU monitoring settings via a Cross-Site Request Forgery (CSRF) vulnerability in the /secure/admin/ViewInstrumentation.jspa endpoint. The affected versions are before version 8.13.16, and from version 8.14.0 before 8.20.5."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Cross-Site Request Forgery (CSRF)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://jira.atlassian.com/browse/JRASERVER-73170",
                  "refsource": "MISC",
                  "url": "https://jira.atlassian.com/browse/JRASERVER-73170"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
        "assignerShortName": "atlassian",
        "cveId": "CVE-2021-43953",
        "datePublished": "2022-02-15T02:40:10.288Z",
        "dateReserved": "2021-11-16T00:00:00.000Z",
        "dateUpdated": "2024-10-08T14:38:59.629Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-43952 (GCVE-0-2021-43952)

    Vulnerability from cvelistv5 – Published: 2022-02-15 00:45 – Updated: 2024-10-04 18:11
    VLAI
    Summary
    Affected versions of Atlassian Jira Server and Data Center allow unauthenticated remote attackers to restore the default configuration of fields via a Cross-Site Request Forgery (CSRF) vulnerability in the /secure/admin/RestoreDefaults.jspa endpoint. The affected versions are before version 8.21.0.
    Severity
    No CVSS data available.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • Cross-Site Request Forgery (CSRF)
    Assigner
    References
    Impacted products
    Vendor Product Version
    Atlassian Jira Server Affected: unspecified , < 8.21.0 (custom)
    Create a notification for this product.
    Atlassian Jira Data Center Affected: unspecified , < 8.21.0 (custom)
    Create a notification for this product.
    Date Public
    2022-01-06 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T04:10:17.284Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://jira.atlassian.com/browse/JRASERVER-73138"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2021-43952",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-10-04T18:11:48.528564Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-10-04T18:11:59.302Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Jira Server",
              "vendor": "Atlassian",
              "versions": [
                {
                  "lessThan": "8.21.0",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "Jira Data Center",
              "vendor": "Atlassian",
              "versions": [
                {
                  "lessThan": "8.21.0",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2022-01-06T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Affected versions of Atlassian Jira Server and Data Center allow unauthenticated remote attackers to restore the default configuration of fields via a Cross-Site Request Forgery (CSRF) vulnerability in the /secure/admin/RestoreDefaults.jspa endpoint. The affected versions are before version 8.21.0."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Cross-Site Request Forgery (CSRF)",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-02-15T00:45:09.000Z",
            "orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
            "shortName": "atlassian"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://jira.atlassian.com/browse/JRASERVER-73138"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@atlassian.com",
              "DATE_PUBLIC": "2022-01-06T00:00:00",
              "ID": "CVE-2021-43952",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Jira Server",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.21.0"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "Jira Data Center",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.21.0"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Atlassian"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Affected versions of Atlassian Jira Server and Data Center allow unauthenticated remote attackers to restore the default configuration of fields via a Cross-Site Request Forgery (CSRF) vulnerability in the /secure/admin/RestoreDefaults.jspa endpoint. The affected versions are before version 8.21.0."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Cross-Site Request Forgery (CSRF)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://jira.atlassian.com/browse/JRASERVER-73138",
                  "refsource": "MISC",
                  "url": "https://jira.atlassian.com/browse/JRASERVER-73138"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
        "assignerShortName": "atlassian",
        "cveId": "CVE-2021-43952",
        "datePublished": "2022-02-15T00:45:10.037Z",
        "dateReserved": "2021-11-16T00:00:00.000Z",
        "dateUpdated": "2024-10-04T18:11:59.302Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-43947 (GCVE-0-2021-43947)

    Vulnerability from cvelistv5 – Published: 2022-01-06 01:05 – Updated: 2024-10-08 14:34
    VLAI
    Summary
    Affected versions of Atlassian Jira Server and Data Center allow remote attackers with administrator privileges to execute arbitrary code via a Remote Code Execution (RCE) vulnerability in the Email Templates feature. This issue bypasses the fix of https://jira.atlassian.com/browse/JSDSERVER-8665. The affected versions are before version 8.13.15, and from version 8.14.0 before 8.20.3.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • Remote Code Execution (RCE)
    Assigner
    References
    Impacted products
    Vendor Product Version
    Atlassian Jira Server Affected: unspecified , < 8.13.15 (custom)
    Affected: 8.14.0 , < unspecified (custom)
    Affected: unspecified , < 8.20.3 (custom)
    Create a notification for this product.
    Atlassian Jira Data Center Affected: unspecified , < 8.13.15 (custom)
    Affected: 8.14.0 , < unspecified (custom)
    Affected: unspecified , < 8.20.3 (custom)
    Create a notification for this product.
    atlassian jira_data_center Affected: 0 , < 8.13.15 (custom)
    Affected: 8.14.0 , < 8.20.3 (custom)
        cpe:2.3:a:atlassian:jira_data_center:*:*:*:*:*:*:*:*
    Create a notification for this product.
    atlassian jira_server Affected: 0 , < 8.13.15 (custom)
    Affected: 8.14.0 , < 8.20.3 (custom)
        cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Date Public
    2022-01-05 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T04:10:17.270Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://jira.atlassian.com/browse/JRASERVER-73067"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:atlassian:jira_data_center:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "jira_data_center",
                "vendor": "atlassian",
                "versions": [
                  {
                    "lessThan": "8.13.15",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  },
                  {
                    "lessThan": "8.20.3",
                    "status": "affected",
                    "version": "8.14.0",
                    "versionType": "custom"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "jira_server",
                "vendor": "atlassian",
                "versions": [
                  {
                    "lessThan": "8.13.15",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  },
                  {
                    "lessThan": "8.20.3",
                    "status": "affected",
                    "version": "8.14.0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "HIGH",
                  "baseScore": 7.2,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "HIGH",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2021-43947",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-10-08T14:28:34.740441Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-10-08T14:34:08.233Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Jira Server",
              "vendor": "Atlassian",
              "versions": [
                {
                  "lessThan": "8.13.15",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThan": "unspecified",
                  "status": "affected",
                  "version": "8.14.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "8.20.3",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "Jira Data Center",
              "vendor": "Atlassian",
              "versions": [
                {
                  "lessThan": "8.13.15",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThan": "unspecified",
                  "status": "affected",
                  "version": "8.14.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "8.20.3",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2022-01-05T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Affected versions of Atlassian Jira Server and Data Center allow remote attackers with administrator privileges to execute arbitrary code via a Remote Code Execution (RCE) vulnerability in the Email Templates feature. This issue bypasses the fix of https://jira.atlassian.com/browse/JSDSERVER-8665. The affected versions are before version 8.13.15, and from version 8.14.0 before 8.20.3."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Remote Code Execution (RCE)",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-01-06T01:05:09.000Z",
            "orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
            "shortName": "atlassian"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://jira.atlassian.com/browse/JRASERVER-73067"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@atlassian.com",
              "DATE_PUBLIC": "2022-01-05T00:00:00",
              "ID": "CVE-2021-43947",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Jira Server",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.13.15"
                              },
                              {
                                "version_affected": "\u003e=",
                                "version_value": "8.14.0"
                              },
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.20.3"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "Jira Data Center",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.13.15"
                              },
                              {
                                "version_affected": "\u003e=",
                                "version_value": "8.14.0"
                              },
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.20.3"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Atlassian"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Affected versions of Atlassian Jira Server and Data Center allow remote attackers with administrator privileges to execute arbitrary code via a Remote Code Execution (RCE) vulnerability in the Email Templates feature. This issue bypasses the fix of https://jira.atlassian.com/browse/JSDSERVER-8665. The affected versions are before version 8.13.15, and from version 8.14.0 before 8.20.3."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Remote Code Execution (RCE)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://jira.atlassian.com/browse/JRASERVER-73067",
                  "refsource": "MISC",
                  "url": "https://jira.atlassian.com/browse/JRASERVER-73067"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
        "assignerShortName": "atlassian",
        "cveId": "CVE-2021-43947",
        "datePublished": "2022-01-06T01:05:10.045Z",
        "dateReserved": "2021-11-16T00:00:00.000Z",
        "dateUpdated": "2024-10-08T14:34:08.233Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-43946 (GCVE-0-2021-43946)

    Vulnerability from cvelistv5 – Published: 2022-01-05 03:40 – Updated: 2024-10-08 14:24
    VLAI
    Summary
    Affected versions of Atlassian Jira Server and Data Center allow authenticated remote attackers to add administrator groups to filter subscriptions via a Broken Access Control vulnerability in the /secure/EditSubscription.jspa endpoint. The affected versions are before version 8.13.21, and from version 8.14.0 before 8.20.9.
    Severity
    No CVSS data available.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • Improper Authorization
    Assigner
    References
    Impacted products
    Vendor Product Version
    Atlassian Jira Server Affected: unspecified , < 8.13.21 (custom)
    Affected: 8.14.0 , < unspecified (custom)
    Affected: unspecified , < 8.20.9 (custom)
    Create a notification for this product.
    Atlassian Jira Data Center Affected: unspecified , < 8.13.21 (custom)
    Affected: 8.14.0 , < unspecified (custom)
    Affected: unspecified , < 8.20.9 (custom)
    Create a notification for this product.
    Date Public
    2021-12-31 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T04:10:17.348Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://jira.atlassian.com/browse/JRASERVER-73071"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2021-43946",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-10-08T14:23:52.557550Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-10-08T14:24:15.786Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Jira Server",
              "vendor": "Atlassian",
              "versions": [
                {
                  "lessThan": "8.13.21",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThan": "unspecified",
                  "status": "affected",
                  "version": "8.14.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "8.20.9",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "Jira Data Center",
              "vendor": "Atlassian",
              "versions": [
                {
                  "lessThan": "8.13.21",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThan": "unspecified",
                  "status": "affected",
                  "version": "8.14.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "8.20.9",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2021-12-31T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Affected versions of Atlassian Jira Server and Data Center allow authenticated remote attackers to add administrator groups to filter subscriptions via a Broken Access Control vulnerability in the /secure/EditSubscription.jspa endpoint. The affected versions are before version 8.13.21, and from version 8.14.0 before 8.20.9."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Improper Authorization",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-11-14T00:00:00.000Z",
            "orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
            "shortName": "atlassian"
          },
          "references": [
            {
              "url": "https://jira.atlassian.com/browse/JRASERVER-73071"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
        "assignerShortName": "atlassian",
        "cveId": "CVE-2021-43946",
        "datePublished": "2022-01-05T03:40:09.602Z",
        "dateReserved": "2021-11-16T00:00:00.000Z",
        "dateUpdated": "2024-10-08T14:24:15.786Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-43942 (GCVE-0-2021-43942)

    Vulnerability from cvelistv5 – Published: 2022-01-04 02:40 – Updated: 2024-10-08 14:23
    VLAI
    Summary
    Affected versions of Atlassian Jira Server and Data Center allow remote attackers to inject arbitrary HTML or JavaScript via a Reflected Cross-Site Scripting (XSS) vulnerability in the /rest/collectors/1.0/template/custom endpoint. To exploit this issue, the attacker must trick a user into visiting a malicious website. The affected versions are before version 8.13.15, and from version 8.14.0 before 8.20.3.
    Severity
    No CVSS data available.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • Reflected Cross-Site Scripting (RXSS)
    Assigner
    References
    Impacted products
    Vendor Product Version
    Atlassian Jira Server Affected: unspecified , < 8.13.15 (custom)
    Affected: 8.14.0 , < unspecified (custom)
    Affected: unspecified , < 8.20.3 (custom)
    Create a notification for this product.
    Atlassian Jira Data Center Affected: unspecified , < 8.13.15 (custom)
    Affected: 8.14.0 , < unspecified (custom)
    Affected: unspecified , < 8.20.3 (custom)
    Create a notification for this product.
    Date Public
    2021-12-30 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T04:10:17.127Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://jira.atlassian.com/browse/JRASERVER-73068"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2021-43942",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-10-08T14:22:39.399202Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-10-08T14:23:31.116Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Jira Server",
              "vendor": "Atlassian",
              "versions": [
                {
                  "lessThan": "8.13.15",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThan": "unspecified",
                  "status": "affected",
                  "version": "8.14.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "8.20.3",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "Jira Data Center",
              "vendor": "Atlassian",
              "versions": [
                {
                  "lessThan": "8.13.15",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThan": "unspecified",
                  "status": "affected",
                  "version": "8.14.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "8.20.3",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2021-12-30T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Affected versions of Atlassian Jira Server and Data Center allow remote attackers to inject arbitrary HTML or JavaScript via a Reflected Cross-Site Scripting (XSS) vulnerability in the /rest/collectors/1.0/template/custom endpoint. To exploit this issue, the attacker must trick a user into visiting a malicious website. The affected versions are before version 8.13.15, and from version 8.14.0 before 8.20.3."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Reflected Cross-Site Scripting (RXSS)",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-01-04T02:40:09.000Z",
            "orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
            "shortName": "atlassian"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://jira.atlassian.com/browse/JRASERVER-73068"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@atlassian.com",
              "DATE_PUBLIC": "2021-12-30T00:00:00",
              "ID": "CVE-2021-43942",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Jira Server",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.13.15"
                              },
                              {
                                "version_affected": "\u003e=",
                                "version_value": "8.14.0"
                              },
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.20.3"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "Jira Data Center",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.13.15"
                              },
                              {
                                "version_affected": "\u003e=",
                                "version_value": "8.14.0"
                              },
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.20.3"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Atlassian"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Affected versions of Atlassian Jira Server and Data Center allow remote attackers to inject arbitrary HTML or JavaScript via a Reflected Cross-Site Scripting (XSS) vulnerability in the /rest/collectors/1.0/template/custom endpoint. To exploit this issue, the attacker must trick a user into visiting a malicious website. The affected versions are before version 8.13.15, and from version 8.14.0 before 8.20.3."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Reflected Cross-Site Scripting (RXSS)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://jira.atlassian.com/browse/JRASERVER-73068",
                  "refsource": "MISC",
                  "url": "https://jira.atlassian.com/browse/JRASERVER-73068"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
        "assignerShortName": "atlassian",
        "cveId": "CVE-2021-43942",
        "datePublished": "2022-01-04T02:40:09.824Z",
        "dateReserved": "2021-11-16T00:00:00.000Z",
        "dateUpdated": "2024-10-08T14:23:31.116Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-41311 (GCVE-0-2021-41311)

    Vulnerability from cvelistv5 – Published: 2021-12-08 03:35 – Updated: 2024-10-10 14:00
    VLAI
    Summary
    Affected versions of Atlassian Jira Server and Data Center allow attackers with access to an administrator account that has had its access revoked to modify projects' Users & Roles settings, via a Broken Authentication vulnerability in the /plugins/servlet/project-config/PROJECT/roles endpoint. The affected versions are before version 8.19.1.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-287 - Broken Authentication (CWE-287)
    Assigner
    References
    Impacted products
    Vendor Product Version
    Atlassian Jira Server Affected: unspecified , < 8.19.1 (custom)
    Create a notification for this product.
    Atlassian Jira Data Center Affected: unspecified , < 8.19.1 (custom)
    Create a notification for this product.
    atlassian jira_server Affected: 0 , < 8.19.1 (custom)
        cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*
    Create a notification for this product.
    atlassian jira_data_center Affected: 0 , < 8.19.1 (custom)
        cpe:2.3:a:atlassian:jira_data_center:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Date Public
    2021-10-26 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T03:08:31.998Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://jira.atlassian.com/browse/JRASERVER-72802"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "jira_server",
                "vendor": "atlassian",
                "versions": [
                  {
                    "lessThan": "8.19.1",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:a:atlassian:jira_data_center:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "jira_data_center",
                "vendor": "atlassian",
                "versions": [
                  {
                    "lessThan": "8.19.1",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 7.5,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "NONE",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2021-41311",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-10-10T13:57:21.858196Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-10-10T14:00:43.454Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Jira Server",
              "vendor": "Atlassian",
              "versions": [
                {
                  "lessThan": "8.19.1",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "Jira Data Center",
              "vendor": "Atlassian",
              "versions": [
                {
                  "lessThan": "8.19.1",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2021-10-26T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Affected versions of Atlassian Jira Server and Data Center allow attackers with access to an administrator account that has had its access revoked to modify projects\u0027 Users \u0026 Roles settings, via a Broken Authentication vulnerability in the /plugins/servlet/project-config/PROJECT/roles endpoint. The affected versions are before version 8.19.1."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-287",
                  "description": "Broken Authentication (CWE-287)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-12-08T03:35:11.000Z",
            "orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
            "shortName": "atlassian"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://jira.atlassian.com/browse/JRASERVER-72802"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@atlassian.com",
              "DATE_PUBLIC": "2021-10-26T00:00:00",
              "ID": "CVE-2021-41311",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Jira Server",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.19.1"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "Jira Data Center",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.19.1"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Atlassian"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Affected versions of Atlassian Jira Server and Data Center allow attackers with access to an administrator account that has had its access revoked to modify projects\u0027 Users \u0026 Roles settings, via a Broken Authentication vulnerability in the /plugins/servlet/project-config/PROJECT/roles endpoint. The affected versions are before version 8.19.1."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Broken Authentication (CWE-287)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://jira.atlassian.com/browse/JRASERVER-72802",
                  "refsource": "MISC",
                  "url": "https://jira.atlassian.com/browse/JRASERVER-72802"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
        "assignerShortName": "atlassian",
        "cveId": "CVE-2021-41311",
        "datePublished": "2021-12-08T03:35:11.838Z",
        "dateReserved": "2021-09-16T00:00:00.000Z",
        "dateUpdated": "2024-10-10T14:00:43.454Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-41309 (GCVE-0-2021-41309)

    Vulnerability from cvelistv5 – Published: 2021-12-08 03:35 – Updated: 2024-10-10 13:52
    VLAI
    Summary
    Affected versions of Atlassian Jira Server and Data Center allow a user who has had their Jira Service Management access revoked to export audit logs of another user's Jira Service Management project via a Broken Authentication vulnerability in the /plugins/servlet/audit/resource endpoint. The affected versions of Jira Server and Data Center are before version 8.19.1.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-287 - Broken Authentication (CWE-287)
    Assigner
    References
    Impacted products
    Vendor Product Version
    Atlassian Jira Server Affected: unspecified , < 8.19.1 (custom)
    Create a notification for this product.
    Atlassian Jira Data Center Affected: unspecified , < 8.19.1 (custom)
    Create a notification for this product.
    atlassian jira_server Affected: 0 , < 8.19.1 (custom)
        cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*
    Create a notification for this product.
    atlassian jira_data_center Affected: 0 , < 8.19.1 (custom)
        cpe:2.3:a:atlassian:jira_data_center:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Date Public
    2021-10-27 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T03:08:31.877Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://jira.atlassian.com/browse/JRASERVER-72803"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "jira_server",
                "vendor": "atlassian",
                "versions": [
                  {
                    "lessThan": "8.19.1",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:a:atlassian:jira_data_center:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "jira_data_center",
                "vendor": "atlassian",
                "versions": [
                  {
                    "lessThan": "8.19.1",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 5.3,
                  "baseSeverity": "MEDIUM",
                  "confidentialityImpact": "LOW",
                  "integrityImpact": "NONE",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2021-41309",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-10-10T13:48:08.586317Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-10-10T13:52:47.289Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Jira Server",
              "vendor": "Atlassian",
              "versions": [
                {
                  "lessThan": "8.19.1",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "Jira Data Center",
              "vendor": "Atlassian",
              "versions": [
                {
                  "lessThan": "8.19.1",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2021-10-27T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Affected versions of Atlassian Jira Server and Data Center allow a user who has had their Jira Service Management access revoked to export audit logs of another user\u0027s Jira Service Management project via a Broken Authentication vulnerability in the /plugins/servlet/audit/resource endpoint. The affected versions of Jira Server and Data Center are before version 8.19.1."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-287",
                  "description": "Broken Authentication (CWE-287)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-12-08T03:35:10.000Z",
            "orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
            "shortName": "atlassian"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://jira.atlassian.com/browse/JRASERVER-72803"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@atlassian.com",
              "DATE_PUBLIC": "2021-10-27T00:00:00",
              "ID": "CVE-2021-41309",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Jira Server",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.19.1"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "Jira Data Center",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.19.1"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Atlassian"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Affected versions of Atlassian Jira Server and Data Center allow a user who has had their Jira Service Management access revoked to export audit logs of another user\u0027s Jira Service Management project via a Broken Authentication vulnerability in the /plugins/servlet/audit/resource endpoint. The affected versions of Jira Server and Data Center are before version 8.19.1."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Broken Authentication (CWE-287)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://jira.atlassian.com/browse/JRASERVER-72803",
                  "refsource": "MISC",
                  "url": "https://jira.atlassian.com/browse/JRASERVER-72803"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
        "assignerShortName": "atlassian",
        "cveId": "CVE-2021-41309",
        "datePublished": "2021-12-08T03:35:10.422Z",
        "dateReserved": "2021-09-16T00:00:00.000Z",
        "dateUpdated": "2024-10-10T13:52:47.289Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-41312 (GCVE-0-2021-41312)

    Vulnerability from cvelistv5 – Published: 2021-11-03 03:50 – Updated: 2024-10-10 13:45
    VLAI
    Summary
    Affected versions of Atlassian Jira Server and Data Center allow a remote attacker who has had their access revoked from Jira Service Management to enable and disable Issue Collectors on Jira Service Management projects via an Improper Authentication vulnerability in the /secure/ViewCollectors endpoint. The affected versions are before version 8.19.1.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-287 - Improper Authentication (CWE-287)
    Assigner
    References
    Impacted products
    Vendor Product Version
    Atlassian Jira Server Affected: unspecified , < 8.19.1 (custom)
    Create a notification for this product.
    Atlassian Jira Data Center Affected: unspecified , < 8.19.1 (custom)
    Create a notification for this product.
    atlassian jira_server Affected: 0 , < 8.19.1 (custom)
        cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*
    Create a notification for this product.
    atlassian jira_data_center Affected: 0 , < 8.19.1 (custom)
        cpe:2.3:a:atlassian:jira_data_center:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Date Public
    2021-10-26 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T03:08:31.935Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://jira.atlassian.com/browse/JRASERVER-72801"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "jira_server",
                "vendor": "atlassian",
                "versions": [
                  {
                    "lessThan": "8.19.1",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:a:atlassian:jira_data_center:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "jira_data_center",
                "vendor": "atlassian",
                "versions": [
                  {
                    "lessThan": "8.19.1",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 7.5,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "NONE",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2021-41312",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-10-10T13:44:04.544542Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-10-10T13:45:52.185Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Jira Server",
              "vendor": "Atlassian",
              "versions": [
                {
                  "lessThan": "8.19.1",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "Jira Data Center",
              "vendor": "Atlassian",
              "versions": [
                {
                  "lessThan": "8.19.1",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2021-10-26T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Affected versions of Atlassian Jira Server and Data Center allow a remote attacker who has had their access revoked from Jira Service Management to enable and disable Issue Collectors on Jira Service Management projects via an Improper Authentication vulnerability in the /secure/ViewCollectors endpoint. The affected versions are before version 8.19.1."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-287",
                  "description": "Improper Authentication (CWE-287)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-11-03T03:50:33.000Z",
            "orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
            "shortName": "atlassian"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://jira.atlassian.com/browse/JRASERVER-72801"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@atlassian.com",
              "DATE_PUBLIC": "2021-10-26T00:00:00",
              "ID": "CVE-2021-41312",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Jira Server",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.19.1"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "Jira Data Center",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.19.1"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Atlassian"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Affected versions of Atlassian Jira Server and Data Center allow a remote attacker who has had their access revoked from Jira Service Management to enable and disable Issue Collectors on Jira Service Management projects via an Improper Authentication vulnerability in the /secure/ViewCollectors endpoint. The affected versions are before version 8.19.1."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Improper Authentication (CWE-287)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://jira.atlassian.com/browse/JRASERVER-72801",
                  "refsource": "MISC",
                  "url": "https://jira.atlassian.com/browse/JRASERVER-72801"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
        "assignerShortName": "atlassian",
        "cveId": "CVE-2021-41312",
        "datePublished": "2021-11-03T03:50:33.432Z",
        "dateReserved": "2021-09-16T00:00:00.000Z",
        "dateUpdated": "2024-10-10T13:45:52.185Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-41310 (GCVE-0-2021-41310)

    Vulnerability from cvelistv5 – Published: 2021-11-01 22:55 – Updated: 2024-10-09 20:25
    VLAI
    Summary
    Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability in the Associated Projects feature (/secure/admin/AssociatedProjectsForCustomField.jspa). The affected versions are before version 8.5.19, from version 8.6.0 before 8.13.11, and from version 8.14.0 before 8.19.1.
    Severity
    No CVSS data available.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • Stored Cross-Site Scripting (SXSS)
    Assigner
    References
    Impacted products
    Vendor Product Version
    Atlassian Jira Server Affected: unspecified , < 8.5.19 (custom)
    Affected: 8.6.0 , < unspecified (custom)
    Affected: unspecified , < 8.13.11 (custom)
    Affected: 8.14.0 , < unspecified (custom)
    Affected: unspecified , < 8.19.1 (custom)
    Create a notification for this product.
    Atlassian Jira Data Center Affected: unspecified , < 8.5.19 (custom)
    Affected: 8.6.0 , < unspecified (custom)
    Affected: unspecified , < 8.13.11 (custom)
    Affected: 8.14.0 , < unspecified (custom)
    Affected: unspecified , < 8.19.1 (custom)
    Create a notification for this product.
    Date Public
    2021-10-26 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T03:08:31.865Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://jira.atlassian.com/browse/JRASERVER-72800"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2021-41310",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-10-09T20:25:21.259049Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-10-09T20:25:50.011Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Jira Server",
              "vendor": "Atlassian",
              "versions": [
                {
                  "lessThan": "8.5.19",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThan": "unspecified",
                  "status": "affected",
                  "version": "8.6.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "8.13.11",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThan": "unspecified",
                  "status": "affected",
                  "version": "8.14.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "8.19.1",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "Jira Data Center",
              "vendor": "Atlassian",
              "versions": [
                {
                  "lessThan": "8.5.19",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThan": "unspecified",
                  "status": "affected",
                  "version": "8.6.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "8.13.11",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThan": "unspecified",
                  "status": "affected",
                  "version": "8.14.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "8.19.1",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2021-10-26T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability in the Associated Projects feature (/secure/admin/AssociatedProjectsForCustomField.jspa). The affected versions are before version 8.5.19, from version 8.6.0 before 8.13.11, and from version 8.14.0 before 8.19.1."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Stored Cross-Site Scripting (SXSS)",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-11-01T22:55:09.000Z",
            "orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
            "shortName": "atlassian"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://jira.atlassian.com/browse/JRASERVER-72800"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@atlassian.com",
              "DATE_PUBLIC": "2021-10-26T00:00:00",
              "ID": "CVE-2021-41310",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Jira Server",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.5.19"
                              },
                              {
                                "version_affected": "\u003e=",
                                "version_value": "8.6.0"
                              },
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.13.11"
                              },
                              {
                                "version_affected": "\u003e=",
                                "version_value": "8.14.0"
                              },
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.19.1"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "Jira Data Center",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.5.19"
                              },
                              {
                                "version_affected": "\u003e=",
                                "version_value": "8.6.0"
                              },
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.13.11"
                              },
                              {
                                "version_affected": "\u003e=",
                                "version_value": "8.14.0"
                              },
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.19.1"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Atlassian"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability in the Associated Projects feature (/secure/admin/AssociatedProjectsForCustomField.jspa). The affected versions are before version 8.5.19, from version 8.6.0 before 8.13.11, and from version 8.14.0 before 8.19.1."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Stored Cross-Site Scripting (SXSS)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://jira.atlassian.com/browse/JRASERVER-72800",
                  "refsource": "MISC",
                  "url": "https://jira.atlassian.com/browse/JRASERVER-72800"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
        "assignerShortName": "atlassian",
        "cveId": "CVE-2021-41310",
        "datePublished": "2021-11-01T22:55:09.292Z",
        "dateReserved": "2021-09-16T00:00:00.000Z",
        "dateUpdated": "2024-10-09T20:25:50.011Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }