Search

Find a vulnerability

Search criteria

    78 vulnerabilities found for jira_software_data_center by atlassian

    CVE-2021-41311 (GCVE-0-2021-41311)

    Vulnerability from nvd – Published: 2021-12-08 03:35 – Updated: 2024-10-10 14:00
    VLAI
    Summary
    Affected versions of Atlassian Jira Server and Data Center allow attackers with access to an administrator account that has had its access revoked to modify projects' Users & Roles settings, via a Broken Authentication vulnerability in the /plugins/servlet/project-config/PROJECT/roles endpoint. The affected versions are before version 8.19.1.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-287 - Broken Authentication (CWE-287)
    Assigner
    References
    Impacted products
    Vendor Product Version
    Atlassian Jira Server Affected: unspecified , < 8.19.1 (custom)
    Create a notification for this product.
    Atlassian Jira Data Center Affected: unspecified , < 8.19.1 (custom)
    Create a notification for this product.
    atlassian jira_server Affected: 0 , < 8.19.1 (custom)
        cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*
    Create a notification for this product.
    atlassian jira_data_center Affected: 0 , < 8.19.1 (custom)
        cpe:2.3:a:atlassian:jira_data_center:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Date Public
    2021-10-26 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T03:08:31.998Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://jira.atlassian.com/browse/JRASERVER-72802"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "jira_server",
                "vendor": "atlassian",
                "versions": [
                  {
                    "lessThan": "8.19.1",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:a:atlassian:jira_data_center:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "jira_data_center",
                "vendor": "atlassian",
                "versions": [
                  {
                    "lessThan": "8.19.1",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 7.5,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "NONE",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2021-41311",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-10-10T13:57:21.858196Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-10-10T14:00:43.454Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Jira Server",
              "vendor": "Atlassian",
              "versions": [
                {
                  "lessThan": "8.19.1",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "Jira Data Center",
              "vendor": "Atlassian",
              "versions": [
                {
                  "lessThan": "8.19.1",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2021-10-26T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Affected versions of Atlassian Jira Server and Data Center allow attackers with access to an administrator account that has had its access revoked to modify projects\u0027 Users \u0026 Roles settings, via a Broken Authentication vulnerability in the /plugins/servlet/project-config/PROJECT/roles endpoint. The affected versions are before version 8.19.1."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-287",
                  "description": "Broken Authentication (CWE-287)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-12-08T03:35:11.000Z",
            "orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
            "shortName": "atlassian"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://jira.atlassian.com/browse/JRASERVER-72802"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@atlassian.com",
              "DATE_PUBLIC": "2021-10-26T00:00:00",
              "ID": "CVE-2021-41311",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Jira Server",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.19.1"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "Jira Data Center",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.19.1"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Atlassian"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Affected versions of Atlassian Jira Server and Data Center allow attackers with access to an administrator account that has had its access revoked to modify projects\u0027 Users \u0026 Roles settings, via a Broken Authentication vulnerability in the /plugins/servlet/project-config/PROJECT/roles endpoint. The affected versions are before version 8.19.1."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Broken Authentication (CWE-287)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://jira.atlassian.com/browse/JRASERVER-72802",
                  "refsource": "MISC",
                  "url": "https://jira.atlassian.com/browse/JRASERVER-72802"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
        "assignerShortName": "atlassian",
        "cveId": "CVE-2021-41311",
        "datePublished": "2021-12-08T03:35:11.838Z",
        "dateReserved": "2021-09-16T00:00:00.000Z",
        "dateUpdated": "2024-10-10T14:00:43.454Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-41309 (GCVE-0-2021-41309)

    Vulnerability from nvd – Published: 2021-12-08 03:35 – Updated: 2024-10-10 13:52
    VLAI
    Summary
    Affected versions of Atlassian Jira Server and Data Center allow a user who has had their Jira Service Management access revoked to export audit logs of another user's Jira Service Management project via a Broken Authentication vulnerability in the /plugins/servlet/audit/resource endpoint. The affected versions of Jira Server and Data Center are before version 8.19.1.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-287 - Broken Authentication (CWE-287)
    Assigner
    References
    Impacted products
    Vendor Product Version
    Atlassian Jira Server Affected: unspecified , < 8.19.1 (custom)
    Create a notification for this product.
    Atlassian Jira Data Center Affected: unspecified , < 8.19.1 (custom)
    Create a notification for this product.
    atlassian jira_server Affected: 0 , < 8.19.1 (custom)
        cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*
    Create a notification for this product.
    atlassian jira_data_center Affected: 0 , < 8.19.1 (custom)
        cpe:2.3:a:atlassian:jira_data_center:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Date Public
    2021-10-27 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T03:08:31.877Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://jira.atlassian.com/browse/JRASERVER-72803"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "jira_server",
                "vendor": "atlassian",
                "versions": [
                  {
                    "lessThan": "8.19.1",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:a:atlassian:jira_data_center:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "jira_data_center",
                "vendor": "atlassian",
                "versions": [
                  {
                    "lessThan": "8.19.1",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 5.3,
                  "baseSeverity": "MEDIUM",
                  "confidentialityImpact": "LOW",
                  "integrityImpact": "NONE",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2021-41309",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-10-10T13:48:08.586317Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-10-10T13:52:47.289Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Jira Server",
              "vendor": "Atlassian",
              "versions": [
                {
                  "lessThan": "8.19.1",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "Jira Data Center",
              "vendor": "Atlassian",
              "versions": [
                {
                  "lessThan": "8.19.1",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2021-10-27T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Affected versions of Atlassian Jira Server and Data Center allow a user who has had their Jira Service Management access revoked to export audit logs of another user\u0027s Jira Service Management project via a Broken Authentication vulnerability in the /plugins/servlet/audit/resource endpoint. The affected versions of Jira Server and Data Center are before version 8.19.1."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-287",
                  "description": "Broken Authentication (CWE-287)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-12-08T03:35:10.000Z",
            "orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
            "shortName": "atlassian"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://jira.atlassian.com/browse/JRASERVER-72803"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@atlassian.com",
              "DATE_PUBLIC": "2021-10-27T00:00:00",
              "ID": "CVE-2021-41309",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Jira Server",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.19.1"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "Jira Data Center",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.19.1"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Atlassian"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Affected versions of Atlassian Jira Server and Data Center allow a user who has had their Jira Service Management access revoked to export audit logs of another user\u0027s Jira Service Management project via a Broken Authentication vulnerability in the /plugins/servlet/audit/resource endpoint. The affected versions of Jira Server and Data Center are before version 8.19.1."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Broken Authentication (CWE-287)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://jira.atlassian.com/browse/JRASERVER-72803",
                  "refsource": "MISC",
                  "url": "https://jira.atlassian.com/browse/JRASERVER-72803"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
        "assignerShortName": "atlassian",
        "cveId": "CVE-2021-41309",
        "datePublished": "2021-12-08T03:35:10.422Z",
        "dateReserved": "2021-09-16T00:00:00.000Z",
        "dateUpdated": "2024-10-10T13:52:47.289Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-41310 (GCVE-0-2021-41310)

    Vulnerability from nvd – Published: 2021-11-01 22:55 – Updated: 2024-10-09 20:25
    VLAI
    Summary
    Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability in the Associated Projects feature (/secure/admin/AssociatedProjectsForCustomField.jspa). The affected versions are before version 8.5.19, from version 8.6.0 before 8.13.11, and from version 8.14.0 before 8.19.1.
    Severity
    No CVSS data available.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • Stored Cross-Site Scripting (SXSS)
    Assigner
    References
    Impacted products
    Vendor Product Version
    Atlassian Jira Server Affected: unspecified , < 8.5.19 (custom)
    Affected: 8.6.0 , < unspecified (custom)
    Affected: unspecified , < 8.13.11 (custom)
    Affected: 8.14.0 , < unspecified (custom)
    Affected: unspecified , < 8.19.1 (custom)
    Create a notification for this product.
    Atlassian Jira Data Center Affected: unspecified , < 8.5.19 (custom)
    Affected: 8.6.0 , < unspecified (custom)
    Affected: unspecified , < 8.13.11 (custom)
    Affected: 8.14.0 , < unspecified (custom)
    Affected: unspecified , < 8.19.1 (custom)
    Create a notification for this product.
    Date Public
    2021-10-26 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T03:08:31.865Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://jira.atlassian.com/browse/JRASERVER-72800"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2021-41310",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-10-09T20:25:21.259049Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-10-09T20:25:50.011Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Jira Server",
              "vendor": "Atlassian",
              "versions": [
                {
                  "lessThan": "8.5.19",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThan": "unspecified",
                  "status": "affected",
                  "version": "8.6.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "8.13.11",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThan": "unspecified",
                  "status": "affected",
                  "version": "8.14.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "8.19.1",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "Jira Data Center",
              "vendor": "Atlassian",
              "versions": [
                {
                  "lessThan": "8.5.19",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThan": "unspecified",
                  "status": "affected",
                  "version": "8.6.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "8.13.11",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThan": "unspecified",
                  "status": "affected",
                  "version": "8.14.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "8.19.1",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2021-10-26T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability in the Associated Projects feature (/secure/admin/AssociatedProjectsForCustomField.jspa). The affected versions are before version 8.5.19, from version 8.6.0 before 8.13.11, and from version 8.14.0 before 8.19.1."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Stored Cross-Site Scripting (SXSS)",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-11-01T22:55:09.000Z",
            "orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
            "shortName": "atlassian"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://jira.atlassian.com/browse/JRASERVER-72800"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@atlassian.com",
              "DATE_PUBLIC": "2021-10-26T00:00:00",
              "ID": "CVE-2021-41310",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Jira Server",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.5.19"
                              },
                              {
                                "version_affected": "\u003e=",
                                "version_value": "8.6.0"
                              },
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.13.11"
                              },
                              {
                                "version_affected": "\u003e=",
                                "version_value": "8.14.0"
                              },
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.19.1"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "Jira Data Center",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.5.19"
                              },
                              {
                                "version_affected": "\u003e=",
                                "version_value": "8.6.0"
                              },
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.13.11"
                              },
                              {
                                "version_affected": "\u003e=",
                                "version_value": "8.14.0"
                              },
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.19.1"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Atlassian"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability in the Associated Projects feature (/secure/admin/AssociatedProjectsForCustomField.jspa). The affected versions are before version 8.5.19, from version 8.6.0 before 8.13.11, and from version 8.14.0 before 8.19.1."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Stored Cross-Site Scripting (SXSS)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://jira.atlassian.com/browse/JRASERVER-72800",
                  "refsource": "MISC",
                  "url": "https://jira.atlassian.com/browse/JRASERVER-72800"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
        "assignerShortName": "atlassian",
        "cveId": "CVE-2021-41310",
        "datePublished": "2021-11-01T22:55:09.292Z",
        "dateReserved": "2021-09-16T00:00:00.000Z",
        "dateUpdated": "2024-10-09T20:25:50.011Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-41308 (GCVE-0-2021-41308)

    Vulnerability from nvd – Published: 2021-10-26 04:15 – Updated: 2024-10-09 19:23
    VLAI
    Summary
    Affected versions of Atlassian Jira Server and Data Center allow authenticated yet non-administrator remote attackers to edit the File Replication settings via a Broken Access Control vulnerability in the `ReplicationSettings!default.jspa` endpoint. The affected versions are before version 8.6.0, from version 8.7.0 before 8.13.12, and from version 8.14.0 before 8.20.1.
    Severity
    No CVSS data available.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-285 - Improper Authorization (CWE-285)
    Assigner
    References
    Impacted products
    Vendor Product Version
    Atlassian Jira Server Affected: unspecified , < 8.6.0 (custom)
    Affected: 8.7.0 , < unspecified (custom)
    Affected: unspecified , < 8.13.12 (custom)
    Affected: 8.14.0 , < unspecified (custom)
    Affected: unspecified , < 8.20.1 (custom)
    Create a notification for this product.
    Atlassian Jira Data Center Affected: unspecified , < 8.6.0 (custom)
    Affected: 8.7.0 , < unspecified (custom)
    Affected: unspecified , < 8.13.12 (custom)
    Affected: 8.14.0 , < unspecified (custom)
    Affected: unspecified , < 8.20.1 (custom)
    Create a notification for this product.
    Date Public
    2021-10-25 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T03:08:31.936Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://jira.atlassian.com/browse/JRASERVER-72940"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2021-41308",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-10-09T19:23:07.362491Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-10-09T19:23:22.782Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Jira Server",
              "vendor": "Atlassian",
              "versions": [
                {
                  "lessThan": "8.6.0",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThan": "unspecified",
                  "status": "affected",
                  "version": "8.7.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "8.13.12",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThan": "unspecified",
                  "status": "affected",
                  "version": "8.14.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "8.20.1",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "Jira Data Center",
              "vendor": "Atlassian",
              "versions": [
                {
                  "lessThan": "8.6.0",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThan": "unspecified",
                  "status": "affected",
                  "version": "8.7.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "8.13.12",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThan": "unspecified",
                  "status": "affected",
                  "version": "8.14.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "8.20.1",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2021-10-25T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Affected versions of Atlassian Jira Server and Data Center allow authenticated yet non-administrator remote attackers to edit the File Replication settings via a Broken Access Control vulnerability in the `ReplicationSettings!default.jspa` endpoint. The affected versions are before version 8.6.0, from version 8.7.0 before 8.13.12, and from version 8.14.0 before 8.20.1."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-285",
                  "description": "Improper Authorization (CWE-285)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-10-26T04:15:22.000Z",
            "orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
            "shortName": "atlassian"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://jira.atlassian.com/browse/JRASERVER-72940"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@atlassian.com",
              "DATE_PUBLIC": "2021-10-25T00:00:00",
              "ID": "CVE-2021-41308",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Jira Server",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.6.0"
                              },
                              {
                                "version_affected": "\u003e=",
                                "version_value": "8.7.0"
                              },
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.13.12"
                              },
                              {
                                "version_affected": "\u003e=",
                                "version_value": "8.14.0"
                              },
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.20.1"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "Jira Data Center",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.6.0"
                              },
                              {
                                "version_affected": "\u003e=",
                                "version_value": "8.7.0"
                              },
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.13.12"
                              },
                              {
                                "version_affected": "\u003e=",
                                "version_value": "8.14.0"
                              },
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.20.1"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Atlassian"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Affected versions of Atlassian Jira Server and Data Center allow authenticated yet non-administrator remote attackers to edit the File Replication settings via a Broken Access Control vulnerability in the `ReplicationSettings!default.jspa` endpoint. The affected versions are before version 8.6.0, from version 8.7.0 before 8.13.12, and from version 8.14.0 before 8.20.1."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Improper Authorization (CWE-285)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://jira.atlassian.com/browse/JRASERVER-72940",
                  "refsource": "MISC",
                  "url": "https://jira.atlassian.com/browse/JRASERVER-72940"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
        "assignerShortName": "atlassian",
        "cveId": "CVE-2021-41308",
        "datePublished": "2021-10-26T04:15:22.911Z",
        "dateReserved": "2021-09-16T00:00:00.000Z",
        "dateUpdated": "2024-10-09T19:23:22.782Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-41307 (GCVE-0-2021-41307)

    Vulnerability from nvd – Published: 2021-10-26 04:15 – Updated: 2024-10-09 19:20
    VLAI
    Summary
    Affected versions of Atlassian Jira Server and Data Center allow unauthenticated remote attackers to view the names of private projects and private filters via an Insecure Direct Object References (IDOR) vulnerability in the Workload Pie Chart Gadget. The affected versions are before version 8.13.12, and from version 8.14.0 before 8.20.0.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • Insecure Direct Object References (IDOR)
    • CWE-639 - Authorization Bypass Through User-Controlled Key
    Assigner
    References
    Impacted products
    Vendor Product Version
    Atlassian Jira Server Affected: unspecified , < 8.13.12 (custom)
    Affected: 8.14.0 , < unspecified (custom)
    Affected: unspecified , < 8.20.0 (custom)
    Create a notification for this product.
    Atlassian Jira Data Center Affected: unspecified , < 8.13.12 (custom)
    Affected: 8.14.0 , < unspecified (custom)
    Affected: unspecified , < 8.20.0 (custom)
    Create a notification for this product.
    atlassian jira_data_center Affected: 0 , < 8.13.12 (custom)
    Affected: 8.14.0 , < 8.20.0 (custom)
        cpe:2.3:a:atlassian:jira_data_center:*:*:*:*:*:*:*:*
    Create a notification for this product.
    atlassian jira_server Affected: 0 , < 8.13.12 (custom)
    Affected: 8.14.0 , < 8.20.0 (custom)
        cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Date Public
    2021-10-25 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T03:08:31.948Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://jira.atlassian.com/browse/JRASERVER-72916"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:atlassian:jira_data_center:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "jira_data_center",
                "vendor": "atlassian",
                "versions": [
                  {
                    "lessThan": "8.13.12",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  },
                  {
                    "lessThan": "8.20.0",
                    "status": "affected",
                    "version": "8.14.0",
                    "versionType": "custom"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "jira_server",
                "vendor": "atlassian",
                "versions": [
                  {
                    "lessThan": "8.13.12",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  },
                  {
                    "lessThan": "8.20.0",
                    "status": "affected",
                    "version": "8.14.0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 7.5,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "NONE",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2021-41307",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-10-09T18:22:28.141294Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-639",
                    "description": "CWE-639 Authorization Bypass Through User-Controlled Key",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-10-09T19:20:41.686Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Jira Server",
              "vendor": "Atlassian",
              "versions": [
                {
                  "lessThan": "8.13.12",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThan": "unspecified",
                  "status": "affected",
                  "version": "8.14.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "8.20.0",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "Jira Data Center",
              "vendor": "Atlassian",
              "versions": [
                {
                  "lessThan": "8.13.12",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThan": "unspecified",
                  "status": "affected",
                  "version": "8.14.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "8.20.0",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2021-10-25T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Affected versions of Atlassian Jira Server and Data Center allow unauthenticated remote attackers to view the names of private projects and private filters via an Insecure Direct Object References (IDOR) vulnerability in the Workload Pie Chart Gadget. The affected versions are before version 8.13.12, and from version 8.14.0 before 8.20.0."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Insecure Direct Object References (IDOR)",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-10-26T04:15:21.000Z",
            "orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
            "shortName": "atlassian"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://jira.atlassian.com/browse/JRASERVER-72916"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@atlassian.com",
              "DATE_PUBLIC": "2021-10-25T00:00:00",
              "ID": "CVE-2021-41307",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Jira Server",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.13.12"
                              },
                              {
                                "version_affected": "\u003e=",
                                "version_value": "8.14.0"
                              },
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.20.0"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "Jira Data Center",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.13.12"
                              },
                              {
                                "version_affected": "\u003e=",
                                "version_value": "8.14.0"
                              },
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.20.0"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Atlassian"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Affected versions of Atlassian Jira Server and Data Center allow unauthenticated remote attackers to view the names of private projects and private filters via an Insecure Direct Object References (IDOR) vulnerability in the Workload Pie Chart Gadget. The affected versions are before version 8.13.12, and from version 8.14.0 before 8.20.0."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Insecure Direct Object References (IDOR)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://jira.atlassian.com/browse/JRASERVER-72916",
                  "refsource": "MISC",
                  "url": "https://jira.atlassian.com/browse/JRASERVER-72916"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
        "assignerShortName": "atlassian",
        "cveId": "CVE-2021-41307",
        "datePublished": "2021-10-26T04:15:21.297Z",
        "dateReserved": "2021-09-16T00:00:00.000Z",
        "dateUpdated": "2024-10-09T19:20:41.686Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-41306 (GCVE-0-2021-41306)

    Vulnerability from nvd – Published: 2021-10-26 04:15 – Updated: 2024-10-09 18:21
    VLAI
    Summary
    Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to view private project and filter names via an Insecure Direct Object References (IDOR) vulnerability in the Average Time in Status Gadget. The affected versions are before version 8.13.12, and from version 8.14.0 before 8.20.0.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • Insecure Direct Object References (IDOR)
    • CWE-639 - Authorization Bypass Through User-Controlled Key
    Assigner
    References
    Impacted products
    Vendor Product Version
    Atlassian Jira Server Affected: unspecified , < 8.13.12 (custom)
    Affected: 8.14.0 , < unspecified (custom)
    Affected: unspecified , < 8.20.0 (custom)
    Create a notification for this product.
    Atlassian Jira Data Center Affected: unspecified , < 8.13.12 (custom)
    Affected: 8.14.0 , < unspecified (custom)
    Affected: unspecified , < 8.20.0 (custom)
    Create a notification for this product.
    atlassian jira_data_center Affected: 0 , < 8.13.12 (custom)
    Affected: 8.14.0 , < 8.20.0 (custom)
        cpe:2.3:a:atlassian:jira_data_center:*:*:*:*:*:*:*:*
    Create a notification for this product.
    atlassian jira_server Affected: 0 , < 8.13.12 (custom)
    Affected: 8.14.0 , < 8.20.0 (custom)
        cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Date Public
    2021-10-25 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T03:08:31.997Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://jira.atlassian.com/browse/JRASERVER-72915"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:atlassian:jira_data_center:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "jira_data_center",
                "vendor": "atlassian",
                "versions": [
                  {
                    "lessThan": "8.13.12",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  },
                  {
                    "lessThan": "8.20.0",
                    "status": "affected",
                    "version": "8.14.0",
                    "versionType": "custom"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "jira_server",
                "vendor": "atlassian",
                "versions": [
                  {
                    "lessThan": "8.13.12",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  },
                  {
                    "lessThan": "8.20.0",
                    "status": "affected",
                    "version": "8.14.0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 7.5,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "NONE",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2021-41306",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-10-09T18:17:30.707203Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-639",
                    "description": "CWE-639 Authorization Bypass Through User-Controlled Key",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-10-09T18:21:09.274Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Jira Server",
              "vendor": "Atlassian",
              "versions": [
                {
                  "lessThan": "8.13.12",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThan": "unspecified",
                  "status": "affected",
                  "version": "8.14.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "8.20.0",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "Jira Data Center",
              "vendor": "Atlassian",
              "versions": [
                {
                  "lessThan": "8.13.12",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThan": "unspecified",
                  "status": "affected",
                  "version": "8.14.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "8.20.0",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2021-10-25T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to view private project and filter names via an Insecure Direct Object References (IDOR) vulnerability in the Average Time in Status Gadget. The affected versions are before version 8.13.12, and from version 8.14.0 before 8.20.0."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Insecure Direct Object References (IDOR)",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-10-26T04:15:19.000Z",
            "orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
            "shortName": "atlassian"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://jira.atlassian.com/browse/JRASERVER-72915"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@atlassian.com",
              "DATE_PUBLIC": "2021-10-25T00:00:00",
              "ID": "CVE-2021-41306",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Jira Server",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.13.12"
                              },
                              {
                                "version_affected": "\u003e=",
                                "version_value": "8.14.0"
                              },
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.20.0"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "Jira Data Center",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.13.12"
                              },
                              {
                                "version_affected": "\u003e=",
                                "version_value": "8.14.0"
                              },
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.20.0"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Atlassian"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to view private project and filter names via an Insecure Direct Object References (IDOR) vulnerability in the Average Time in Status Gadget. The affected versions are before version 8.13.12, and from version 8.14.0 before 8.20.0."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Insecure Direct Object References (IDOR)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://jira.atlassian.com/browse/JRASERVER-72915",
                  "refsource": "MISC",
                  "url": "https://jira.atlassian.com/browse/JRASERVER-72915"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
        "assignerShortName": "atlassian",
        "cveId": "CVE-2021-41306",
        "datePublished": "2021-10-26T04:15:19.782Z",
        "dateReserved": "2021-09-16T00:00:00.000Z",
        "dateUpdated": "2024-10-09T18:21:09.274Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-41305 (GCVE-0-2021-41305)

    Vulnerability from nvd – Published: 2021-10-26 04:15 – Updated: 2024-10-09 16:52
    VLAI
    Summary
    Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to view the names of private projects and filters via an Insecure Direct Object References (IDOR) vulnerability in the Average Number of Times in Status Gadget. The affected versions are before version 8.13.12..
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • Insecure Direct Object References (IDOR)
    • CWE-639 - Authorization Bypass Through User-Controlled Key
    Assigner
    References
    Impacted products
    Vendor Product Version
    Atlassian Jira Server Affected: unspecified , < 8.13.12 (custom)
    Create a notification for this product.
    Atlassian Jira Data Center Affected: unspecified , < 8.13.12 (custom)
    Create a notification for this product.
    atlassian jira_data_center Affected: 0 , < 8.13.12 (custom)
        cpe:2.3:a:atlassian:jira_data_center:*:*:*:*:*:*:*:*
    Create a notification for this product.
    atlassian jira_server Affected: 0 , < 8.13.12 (custom)
        cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Date Public
    2021-10-25 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T03:08:32.012Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://jira.atlassian.com/browse/JRASERVER-72813"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:atlassian:jira_data_center:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "jira_data_center",
                "vendor": "atlassian",
                "versions": [
                  {
                    "lessThan": "8.13.12",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "jira_server",
                "vendor": "atlassian",
                "versions": [
                  {
                    "lessThan": "8.13.12",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 7.5,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "NONE",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2021-41305",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-10-09T16:49:26.505533Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-639",
                    "description": "CWE-639 Authorization Bypass Through User-Controlled Key",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-10-09T16:52:39.165Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Jira Server",
              "vendor": "Atlassian",
              "versions": [
                {
                  "lessThan": "8.13.12",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "Jira Data Center",
              "vendor": "Atlassian",
              "versions": [
                {
                  "lessThan": "8.13.12",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2021-10-25T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to view the names of private projects and filters via an Insecure Direct Object References (IDOR) vulnerability in the Average Number of Times in Status Gadget. The affected versions are before version 8.13.12.."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Insecure Direct Object References (IDOR)",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-10-26T04:15:18.000Z",
            "orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
            "shortName": "atlassian"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://jira.atlassian.com/browse/JRASERVER-72813"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@atlassian.com",
              "DATE_PUBLIC": "2021-10-25T00:00:00",
              "ID": "CVE-2021-41305",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Jira Server",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.13.12"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "Jira Data Center",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.13.12"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Atlassian"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to view the names of private projects and filters via an Insecure Direct Object References (IDOR) vulnerability in the Average Number of Times in Status Gadget. The affected versions are before version 8.13.12.."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Insecure Direct Object References (IDOR)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://jira.atlassian.com/browse/JRASERVER-72813",
                  "refsource": "MISC",
                  "url": "https://jira.atlassian.com/browse/JRASERVER-72813"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
        "assignerShortName": "atlassian",
        "cveId": "CVE-2021-41305",
        "datePublished": "2021-10-26T04:15:18.259Z",
        "dateReserved": "2021-09-16T00:00:00.000Z",
        "dateUpdated": "2024-10-09T16:52:39.165Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-39127 (GCVE-0-2021-39127)

    Vulnerability from nvd – Published: 2021-10-21 02:35 – Updated: 2024-10-10 16:05
    VLAI
    Summary
    Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to the query component JQL endpoint via a Broken Access Control vulnerability (BAC) vulnerability. The affected versions are before version 8.5.10, and from version 8.6.0 before 8.13.1.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • Improper Authorization
    Assigner
    References
    Impacted products
    Vendor Product Version
    Atlassian Jira Server Affected: unspecified , < 8.5.10 (custom)
    Affected: 8.6.0 , < unspecified (custom)
    Affected: unspecified , < 8.13.1 (custom)
    Create a notification for this product.
    Atlassian Jira Data Center Affected: unspecified , < 8.5.10 (custom)
    Affected: 8.6.0 , < unspecified (custom)
    Affected: unspecified , < 8.13.1 (custom)
    Create a notification for this product.
    atlassian jira_server Affected: 0 , < 8.5.10 (custom)
    Affected: 8.6.0 , < 8.13.1 (custom)
        cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*
    Create a notification for this product.
    atlassian jira_data_center Affected: 0 , < 8.5.10 (custom)
    Affected: 8.6.0 , < 8.13.1 (custom)
        cpe:2.3:a:atlassian:jira_data_center:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Date Public
    2021-09-14 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T01:58:17.643Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://jira.atlassian.com/browse/JRASERVER-72003"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "jira_server",
                "vendor": "atlassian",
                "versions": [
                  {
                    "lessThan": "8.5.10",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  },
                  {
                    "lessThan": "8.13.1",
                    "status": "affected",
                    "version": "8.6.0",
                    "versionType": "custom"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:a:atlassian:jira_data_center:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "jira_data_center",
                "vendor": "atlassian",
                "versions": [
                  {
                    "lessThan": "8.5.10",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  },
                  {
                    "lessThan": "8.13.1",
                    "status": "affected",
                    "version": "8.6.0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 5.3,
                  "baseSeverity": "MEDIUM",
                  "confidentialityImpact": "NONE",
                  "integrityImpact": "LOW",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2021-39127",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-10-10T16:01:59.411320Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-10-10T16:05:21.853Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Jira Server",
              "vendor": "Atlassian",
              "versions": [
                {
                  "lessThan": "8.5.10",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThan": "unspecified",
                  "status": "affected",
                  "version": "8.6.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "8.13.1",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "Jira Data Center",
              "vendor": "Atlassian",
              "versions": [
                {
                  "lessThan": "8.5.10",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThan": "unspecified",
                  "status": "affected",
                  "version": "8.6.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "8.13.1",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2021-09-14T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to the query component JQL endpoint via a Broken Access Control vulnerability (BAC) vulnerability. The affected versions are before version 8.5.10, and from version 8.6.0 before 8.13.1."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Improper Authorization",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-10-21T02:35:10.000Z",
            "orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
            "shortName": "atlassian"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://jira.atlassian.com/browse/JRASERVER-72003"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@atlassian.com",
              "DATE_PUBLIC": "2021-09-14T00:00:00",
              "ID": "CVE-2021-39127",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Jira Server",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.5.10"
                              },
                              {
                                "version_affected": "\u003e=",
                                "version_value": "8.6.0"
                              },
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.13.1"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "Jira Data Center",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.5.10"
                              },
                              {
                                "version_affected": "\u003e=",
                                "version_value": "8.6.0"
                              },
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.13.1"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Atlassian"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to the query component JQL endpoint via a Broken Access Control vulnerability (BAC) vulnerability. The affected versions are before version 8.5.10, and from version 8.6.0 before 8.13.1."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Improper Authorization"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://jira.atlassian.com/browse/JRASERVER-72003",
                  "refsource": "MISC",
                  "url": "https://jira.atlassian.com/browse/JRASERVER-72003"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
        "assignerShortName": "atlassian",
        "cveId": "CVE-2021-39127",
        "datePublished": "2021-10-21T02:35:10.353Z",
        "dateReserved": "2021-08-16T00:00:00.000Z",
        "dateUpdated": "2024-10-10T16:05:21.853Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2020-36236 (GCVE-0-2020-36236)

    Vulnerability from nvd – Published: 2021-02-14 23:50 – Updated: 2024-09-17 02:16
    VLAI
    Summary
    Affected versions of Atlassian Jira Server and Data Center allow remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability in the ViewWorkflowSchemes.jspa and ListWorkflows.jspa endpoints. The affected versions are before version 8.5.11, from version 8.6.0 before 8.13.3, and from version 8.14.0 before 8.15.0.
    Severity
    No CVSS data available.
    CWE
    • Cross-Site Scripting (XSS)
    Assigner
    References
    Impacted products
    Vendor Product Version
    Atlassian Jira Server Affected: unspecified , < 8.5.11 (custom)
    Affected: 8.6.0 , < unspecified (custom)
    Affected: unspecified , < 8.13.3 (custom)
    Affected: 8.14.0 , < unspecified (custom)
    Affected: unspecified , < 8.15.0 (custom)
    Create a notification for this product.
    Atlassian Jira Data Center Affected: unspecified , < 8.5.11 (custom)
    Affected: 8.6.0 , < unspecified (custom)
    Affected: unspecified , < 8.13.3 (custom)
    Affected: 8.14.0 , < unspecified (custom)
    Affected: unspecified , < 8.15.0 (custom)
    Create a notification for this product.
    Date Public
    2021-02-04 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T17:23:09.649Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://jira.atlassian.com/browse/JRASERVER-72015"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Jira Server",
              "vendor": "Atlassian",
              "versions": [
                {
                  "lessThan": "8.5.11",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThan": "unspecified",
                  "status": "affected",
                  "version": "8.6.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "8.13.3",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThan": "unspecified",
                  "status": "affected",
                  "version": "8.14.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "8.15.0",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "Jira Data Center",
              "vendor": "Atlassian",
              "versions": [
                {
                  "lessThan": "8.5.11",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThan": "unspecified",
                  "status": "affected",
                  "version": "8.6.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "8.13.3",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThan": "unspecified",
                  "status": "affected",
                  "version": "8.14.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "8.15.0",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2021-02-04T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Affected versions of Atlassian Jira Server and Data Center allow remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability in the ViewWorkflowSchemes.jspa and ListWorkflows.jspa endpoints. The affected versions are before version 8.5.11, from version 8.6.0 before 8.13.3, and from version 8.14.0 before 8.15.0."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Cross-Site Scripting (XSS)",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-02-14T23:50:13.000Z",
            "orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
            "shortName": "atlassian"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://jira.atlassian.com/browse/JRASERVER-72015"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@atlassian.com",
              "DATE_PUBLIC": "2021-02-04T00:00:00",
              "ID": "CVE-2020-36236",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Jira Server",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.5.11"
                              },
                              {
                                "version_affected": "\u003e=",
                                "version_value": "8.6.0"
                              },
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.13.3"
                              },
                              {
                                "version_affected": "\u003e=",
                                "version_value": "8.14.0"
                              },
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.15.0"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "Jira Data Center",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.5.11"
                              },
                              {
                                "version_affected": "\u003e=",
                                "version_value": "8.6.0"
                              },
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.13.3"
                              },
                              {
                                "version_affected": "\u003e=",
                                "version_value": "8.14.0"
                              },
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.15.0"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Atlassian"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Affected versions of Atlassian Jira Server and Data Center allow remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability in the ViewWorkflowSchemes.jspa and ListWorkflows.jspa endpoints. The affected versions are before version 8.5.11, from version 8.6.0 before 8.13.3, and from version 8.14.0 before 8.15.0."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Cross-Site Scripting (XSS)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://jira.atlassian.com/browse/JRASERVER-72015",
                  "refsource": "MISC",
                  "url": "https://jira.atlassian.com/browse/JRASERVER-72015"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
        "assignerShortName": "atlassian",
        "cveId": "CVE-2020-36236",
        "datePublished": "2021-02-14T23:50:13.382Z",
        "dateReserved": "2021-01-27T00:00:00.000Z",
        "dateUpdated": "2024-09-17T02:16:55.095Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2020-36235 (GCVE-0-2020-36235)

    Vulnerability from nvd – Published: 2021-02-14 23:45 – Updated: 2024-09-16 16:24
    VLAI
    Summary
    Affected versions of Atlassian Jira Server and Data Center allow unauthenticated remote attackers to view custom field and custom SLA names via an Information Disclosure vulnerability in the mobile site view. The affected versions are before version 8.13.2, and from version 8.14.0 before 8.14.1.
    Severity
    No CVSS data available.
    CWE
    • Information Disclosure
    Assigner
    References
    Impacted products
    Vendor Product Version
    Atlassian Jira Server Affected: unspecified , < 8.13.2 (custom)
    Affected: 8.14.0 , < unspecified (custom)
    Affected: unspecified , < 8.14.1 (custom)
    Create a notification for this product.
    Atlassian Jira Data Center Affected: unspecified , < 8.13.2 (custom)
    Affected: 8.14.0 , < unspecified (custom)
    Affected: unspecified , < 8.14.1 (custom)
    Create a notification for this product.
    Date Public
    2021-02-04 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T17:23:09.655Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://jira.atlassian.com/browse/JRASERVER-71950"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Jira Server",
              "vendor": "Atlassian",
              "versions": [
                {
                  "lessThan": "8.13.2",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThan": "unspecified",
                  "status": "affected",
                  "version": "8.14.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "8.14.1",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "Jira Data Center",
              "vendor": "Atlassian",
              "versions": [
                {
                  "lessThan": "8.13.2",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThan": "unspecified",
                  "status": "affected",
                  "version": "8.14.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "8.14.1",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2021-02-04T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Affected versions of Atlassian Jira Server and Data Center allow unauthenticated remote attackers to view custom field and custom SLA names via an Information Disclosure vulnerability in the mobile site view. The affected versions are before version 8.13.2, and from version 8.14.0 before 8.14.1."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Information Disclosure",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-02-14T23:45:12.000Z",
            "orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
            "shortName": "atlassian"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://jira.atlassian.com/browse/JRASERVER-71950"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@atlassian.com",
              "DATE_PUBLIC": "2021-02-04T00:00:00",
              "ID": "CVE-2020-36235",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Jira Server",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.13.2"
                              },
                              {
                                "version_affected": "\u003e=",
                                "version_value": "8.14.0"
                              },
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.14.1"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "Jira Data Center",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.13.2"
                              },
                              {
                                "version_affected": "\u003e=",
                                "version_value": "8.14.0"
                              },
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.14.1"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Atlassian"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Affected versions of Atlassian Jira Server and Data Center allow unauthenticated remote attackers to view custom field and custom SLA names via an Information Disclosure vulnerability in the mobile site view. The affected versions are before version 8.13.2, and from version 8.14.0 before 8.14.1."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Information Disclosure"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://jira.atlassian.com/browse/JRASERVER-71950",
                  "refsource": "MISC",
                  "url": "https://jira.atlassian.com/browse/JRASERVER-71950"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
        "assignerShortName": "atlassian",
        "cveId": "CVE-2020-36235",
        "datePublished": "2021-02-14T23:45:12.759Z",
        "dateReserved": "2021-01-27T00:00:00.000Z",
        "dateUpdated": "2024-09-16T16:24:07.752Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2020-36231 (GCVE-0-2020-36231)

    Vulnerability from nvd – Published: 2021-02-01 23:40 – Updated: 2024-09-16 17:14
    VLAI
    Summary
    Affected versions of Atlassian Jira Server and Data Center allow remote attackers to view the metadata of boards they should not have access to via an Insecure Direct Object References (IDOR) vulnerability. The affected versions are before version 8.5.10, and from version 8.6.0 before 8.13.2.
    Severity
    No CVSS data available.
    CWE
    • Insecure Direct Object References (IDOR)
    Assigner
    References
    Impacted products
    Vendor Product Version
    Atlassian Jira Server Affected: unspecified , < 8.5.10 (custom)
    Affected: 8.6.0 , < unspecified (custom)
    Affected: unspecified , < 8.13.2 (custom)
    Create a notification for this product.
    Atlassian Jira Data Center Affected: unspecified , < 8.5.10 (custom)
    Affected: 8.6.0 , < unspecified (custom)
    Affected: unspecified , < 8.13.2 (custom)
    Create a notification for this product.
    Date Public
    2021-01-21 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T17:23:09.962Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://jira.atlassian.com/browse/JRASERVER-72002"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Jira Server",
              "vendor": "Atlassian",
              "versions": [
                {
                  "lessThan": "8.5.10",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThan": "unspecified",
                  "status": "affected",
                  "version": "8.6.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "8.13.2",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "Jira Data Center",
              "vendor": "Atlassian",
              "versions": [
                {
                  "lessThan": "8.5.10",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThan": "unspecified",
                  "status": "affected",
                  "version": "8.6.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "8.13.2",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2021-01-21T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Affected versions of Atlassian Jira Server and Data Center allow remote attackers to view the metadata of boards they should not have access to via an Insecure Direct Object References (IDOR) vulnerability. The affected versions are before version 8.5.10, and from version 8.6.0 before 8.13.2."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Insecure Direct Object References (IDOR)",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-02-01T23:40:12.000Z",
            "orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
            "shortName": "atlassian"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://jira.atlassian.com/browse/JRASERVER-72002"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@atlassian.com",
              "DATE_PUBLIC": "2021-01-21T00:00:00",
              "ID": "CVE-2020-36231",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Jira Server",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.5.10"
                              },
                              {
                                "version_affected": "\u003e=",
                                "version_value": "8.6.0"
                              },
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.13.2"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "Jira Data Center",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.5.10"
                              },
                              {
                                "version_affected": "\u003e=",
                                "version_value": "8.6.0"
                              },
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.13.2"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Atlassian"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Affected versions of Atlassian Jira Server and Data Center allow remote attackers to view the metadata of boards they should not have access to via an Insecure Direct Object References (IDOR) vulnerability. The affected versions are before version 8.5.10, and from version 8.6.0 before 8.13.2."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Insecure Direct Object References (IDOR)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://jira.atlassian.com/browse/JRASERVER-72002",
                  "refsource": "MISC",
                  "url": "https://jira.atlassian.com/browse/JRASERVER-72002"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
        "assignerShortName": "atlassian",
        "cveId": "CVE-2020-36231",
        "datePublished": "2021-02-01T23:40:12.974Z",
        "dateReserved": "2021-01-27T00:00:00.000Z",
        "dateUpdated": "2024-09-16T17:14:09.087Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2020-14178 (GCVE-0-2020-14178)

    Vulnerability from nvd – Published: 2020-09-01 04:25 – Updated: 2024-09-16 22:45
    VLAI
    Summary
    Affected versions of Atlassian Jira Server and Data Center allow remote attackers to enumerate project keys via an Information Disclosure vulnerability in the /browse.PROJECTKEY endpoint. The affected versions are before version 7.13.7, from version 8.0.0 before 8.5.8, and from version 8.6.0 before 8.12.0.
    Severity
    No CVSS data available.
    CWE
    • Information Disclosure
    Assigner
    References
    Impacted products
    Vendor Product Version
    Atlassian Jira Server Affected: unspecified , < 7.13.17 (custom)
    Affected: 8.0.0 , < unspecified (custom)
    Affected: unspecified , < 8.5.8 (custom)
    Affected: 8.6.0 , < unspecified (custom)
    Affected: unspecified , < 8.12.0 (custom)
    Create a notification for this product.
    Date Public
    2020-09-01 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T12:39:36.164Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://jira.atlassian.com/browse/JRASERVER-71498"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Jira Server",
              "vendor": "Atlassian",
              "versions": [
                {
                  "lessThan": "7.13.17",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThan": "unspecified",
                  "status": "affected",
                  "version": "8.0.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "8.5.8",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThan": "unspecified",
                  "status": "affected",
                  "version": "8.6.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "8.12.0",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2020-09-01T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Affected versions of Atlassian Jira Server and Data Center allow remote attackers to enumerate project keys via an Information Disclosure vulnerability in the /browse.PROJECTKEY endpoint. The affected versions are before version 7.13.7, from version 8.0.0 before 8.5.8, and from version 8.6.0 before 8.12.0."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Information Disclosure",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2020-09-01T04:25:13.000Z",
            "orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
            "shortName": "atlassian"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://jira.atlassian.com/browse/JRASERVER-71498"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@atlassian.com",
              "DATE_PUBLIC": "2020-09-01T00:00:00",
              "ID": "CVE-2020-14178",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Jira Server",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "7.13.17"
                              },
                              {
                                "version_affected": "\u003e=",
                                "version_value": "8.0.0"
                              },
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.5.8"
                              },
                              {
                                "version_affected": "\u003e=",
                                "version_value": "8.6.0"
                              },
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.12.0"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Atlassian"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Affected versions of Atlassian Jira Server and Data Center allow remote attackers to enumerate project keys via an Information Disclosure vulnerability in the /browse.PROJECTKEY endpoint. The affected versions are before version 7.13.7, from version 8.0.0 before 8.5.8, and from version 8.6.0 before 8.12.0."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Information Disclosure"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://jira.atlassian.com/browse/JRASERVER-71498",
                  "refsource": "MISC",
                  "url": "https://jira.atlassian.com/browse/JRASERVER-71498"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
        "assignerShortName": "atlassian",
        "cveId": "CVE-2020-14178",
        "datePublished": "2020-09-01T04:25:13.421Z",
        "dateReserved": "2020-06-16T00:00:00.000Z",
        "dateUpdated": "2024-09-16T22:45:49.594Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2020-14174 (GCVE-0-2020-14174)

    Vulnerability from nvd – Published: 2020-07-13 04:45 – Updated: 2024-09-16 20:31
    VLAI
    Summary
    Affected versions of Atlassian Jira Server and Data Center allow remote attackers to view titles of a private project via an Insecure Direct Object References (IDOR) vulnerability in the Administration Permission Helper. The affected versions are before version 7.13.6, from version 8.0.0 before 8.5.7, from version 8.6.0 before 8.9.2, and from version 8.10.0 before 8.10.1.
    Severity
    No CVSS data available.
    CWE
    • Insecure Direct Object References (IDOR)
    Assigner
    References
    Impacted products
    Vendor Product Version
    Atlassian Jira Server Affected: unspecified , < 7.13.6 (custom)
    Affected: 8.0.0 , < unspecified (custom)
    Affected: unspecified , < 8.5.7 (custom)
    Affected: 8.6.0 , < unspecified (custom)
    Affected: unspecified , < 8.9.2 (custom)
    Affected: 8.10.0 , < unspecified (custom)
    Affected: unspecified , < 8.10.1 (custom)
    Create a notification for this product.
    Date Public
    2020-07-08 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T12:39:36.196Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://jira.atlassian.com/browse/JRASERVER-71275"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Jira Server",
              "vendor": "Atlassian",
              "versions": [
                {
                  "lessThan": "7.13.6",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThan": "unspecified",
                  "status": "affected",
                  "version": "8.0.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "8.5.7",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThan": "unspecified",
                  "status": "affected",
                  "version": "8.6.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "8.9.2",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThan": "unspecified",
                  "status": "affected",
                  "version": "8.10.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "8.10.1",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2020-07-08T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Affected versions of Atlassian Jira Server and Data Center allow remote attackers to view titles of a private project via an Insecure Direct Object References (IDOR) vulnerability in the Administration Permission Helper. The affected versions are before version 7.13.6, from version 8.0.0 before 8.5.7, from version 8.6.0 before 8.9.2, and from version 8.10.0 before 8.10.1."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Insecure Direct Object References (IDOR)",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2020-07-13T04:45:13.000Z",
            "orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
            "shortName": "atlassian"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://jira.atlassian.com/browse/JRASERVER-71275"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@atlassian.com",
              "DATE_PUBLIC": "2020-07-08T00:00:00",
              "ID": "CVE-2020-14174",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Jira Server",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "7.13.6"
                              },
                              {
                                "version_affected": "\u003e=",
                                "version_value": "8.0.0"
                              },
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.5.7"
                              },
                              {
                                "version_affected": "\u003e=",
                                "version_value": "8.6.0"
                              },
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.9.2"
                              },
                              {
                                "version_affected": "\u003e=",
                                "version_value": "8.10.0"
                              },
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.10.1"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Atlassian"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Affected versions of Atlassian Jira Server and Data Center allow remote attackers to view titles of a private project via an Insecure Direct Object References (IDOR) vulnerability in the Administration Permission Helper. The affected versions are before version 7.13.6, from version 8.0.0 before 8.5.7, from version 8.6.0 before 8.9.2, and from version 8.10.0 before 8.10.1."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Insecure Direct Object References (IDOR)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://jira.atlassian.com/browse/JRASERVER-71275",
                  "refsource": "MISC",
                  "url": "https://jira.atlassian.com/browse/JRASERVER-71275"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
        "assignerShortName": "atlassian",
        "cveId": "CVE-2020-14174",
        "datePublished": "2020-07-13T04:45:13.167Z",
        "dateReserved": "2020-06-16T00:00:00.000Z",
        "dateUpdated": "2024-09-16T20:31:56.101Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2019-20899 (GCVE-0-2019-20899)

    Vulnerability from nvd – Published: 2020-07-13 01:00 – Updated: 2024-09-17 00:41
    VLAI
    Summary
    The Gadget API in Atlassian Jira Server and Data Center in affected versions allows remote attackers to make Jira unresponsive via repeated requests to a certain endpoint in the Gadget API. The affected versions are before version 8.5.4, and from version 8.6.0 before 8.6.1.
    Severity
    No CVSS data available.
    CWE
    • Denial of Service
    Assigner
    References
    Impacted products
    Vendor Product Version
    Atlassian Jira Server Affected: unspecified , < 8.5.4 (custom)
    Affected: 8.6.0 , < unspecified (custom)
    Affected: unspecified , < 8.6.1 (custom)
    Create a notification for this product.
    Date Public
    2020-03-23 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-05T02:53:09.541Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://jira.atlassian.com/browse/JRASERVER-70808"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Jira Server",
              "vendor": "Atlassian",
              "versions": [
                {
                  "lessThan": "8.5.4",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThan": "unspecified",
                  "status": "affected",
                  "version": "8.6.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "8.6.1",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2020-03-23T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "The Gadget API in Atlassian Jira Server and Data Center in affected versions allows remote attackers to make Jira unresponsive via repeated requests to a certain endpoint in the Gadget API. The affected versions are before version 8.5.4, and from version 8.6.0 before 8.6.1."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Denial of Service",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2020-07-13T01:00:16.000Z",
            "orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
            "shortName": "atlassian"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://jira.atlassian.com/browse/JRASERVER-70808"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@atlassian.com",
              "DATE_PUBLIC": "2020-03-23T00:00:00",
              "ID": "CVE-2019-20899",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Jira Server",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.5.4"
                              },
                              {
                                "version_affected": "\u003e=",
                                "version_value": "8.6.0"
                              },
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.6.1"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Atlassian"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "The Gadget API in Atlassian Jira Server and Data Center in affected versions allows remote attackers to make Jira unresponsive via repeated requests to a certain endpoint in the Gadget API. The affected versions are before version 8.5.4, and from version 8.6.0 before 8.6.1."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Denial of Service"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://jira.atlassian.com/browse/JRASERVER-70808",
                  "refsource": "MISC",
                  "url": "https://jira.atlassian.com/browse/JRASERVER-70808"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
        "assignerShortName": "atlassian",
        "cveId": "CVE-2019-20899",
        "datePublished": "2020-07-13T01:00:16.851Z",
        "dateReserved": "2020-07-07T00:00:00.000Z",
        "dateUpdated": "2024-09-17T00:41:28.244Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2019-20898 (GCVE-0-2019-20898)

    Vulnerability from nvd – Published: 2020-07-13 00:55 – Updated: 2024-09-16 23:30
    VLAI
    Summary
    Affected versions of Atlassian Jira Server and Data Center allow remote attackers to access sensitive information without being authenticated in the Global permissions screen. The affected versions are before version 8.8.0.
    Severity
    No CVSS data available.
    CWE
    • Information Disclosure
    Assigner
    References
    Impacted products
    Vendor Product Version
    Atlassian Jira Server Affected: unspecified , < 8.8.0 (custom)
    Create a notification for this product.
    Date Public
    2020-04-22 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-05T02:53:09.498Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://jira.atlassian.com/browse/JRASERVER-70942"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Jira Server",
              "vendor": "Atlassian",
              "versions": [
                {
                  "lessThan": "8.8.0",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2020-04-22T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Affected versions of Atlassian Jira Server and Data Center allow remote attackers to access sensitive information without being authenticated in the Global permissions screen. The affected versions are before version 8.8.0."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Information Disclosure",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2020-07-13T00:55:12.000Z",
            "orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
            "shortName": "atlassian"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://jira.atlassian.com/browse/JRASERVER-70942"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@atlassian.com",
              "DATE_PUBLIC": "2020-04-22T00:00:00",
              "ID": "CVE-2019-20898",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Jira Server",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.8.0"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Atlassian"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Affected versions of Atlassian Jira Server and Data Center allow remote attackers to access sensitive information without being authenticated in the Global permissions screen. The affected versions are before version 8.8.0."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Information Disclosure"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://jira.atlassian.com/browse/JRASERVER-70942",
                  "refsource": "MISC",
                  "url": "https://jira.atlassian.com/browse/JRASERVER-70942"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
        "assignerShortName": "atlassian",
        "cveId": "CVE-2019-20898",
        "datePublished": "2020-07-13T00:55:12.380Z",
        "dateReserved": "2020-07-07T00:00:00.000Z",
        "dateUpdated": "2024-09-16T23:30:41.180Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2019-20897 (GCVE-0-2019-20897)

    Vulnerability from nvd – Published: 2020-07-13 00:50 – Updated: 2024-09-16 17:33
    VLAI
    Summary
    The avatar upload feature in affected versions of Atlassian Jira Server and Data Center allows remote attackers to achieve Denial of Service via a crafted PNG file. The affected versions are before version 8.5.4, from version 8.6.0 before 8.6.2, and from version 8.7.0 before 8.7.1.
    Severity
    No CVSS data available.
    CWE
    • Denial of Service
    Assigner
    References
    Impacted products
    Vendor Product Version
    Atlassian Jira Server Affected: unspecified , < 8.5.4 (custom)
    Affected: 8.6.0 , < unspecified (custom)
    Affected: unspecified , < 8.6.2 (custom)
    Affected: 8.7.0 , < unspecified (custom)
    Affected: unspecified , < 8.7.1 (custom)
    Create a notification for this product.
    Date Public
    2020-03-24 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-05T02:53:09.487Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://jira.atlassian.com/browse/JRASERVER-70813"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Jira Server",
              "vendor": "Atlassian",
              "versions": [
                {
                  "lessThan": "8.5.4",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThan": "unspecified",
                  "status": "affected",
                  "version": "8.6.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "8.6.2",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThan": "unspecified",
                  "status": "affected",
                  "version": "8.7.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "8.7.1",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2020-03-24T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "The avatar upload feature in affected versions of Atlassian Jira Server and Data Center allows remote attackers to achieve Denial of Service via a crafted PNG file. The affected versions are before version 8.5.4, from version 8.6.0 before 8.6.2, and from version 8.7.0 before 8.7.1."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Denial of Service",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2020-07-13T00:50:11.000Z",
            "orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
            "shortName": "atlassian"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://jira.atlassian.com/browse/JRASERVER-70813"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@atlassian.com",
              "DATE_PUBLIC": "2020-03-24T00:00:00",
              "ID": "CVE-2019-20897",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Jira Server",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.5.4"
                              },
                              {
                                "version_affected": "\u003e=",
                                "version_value": "8.6.0"
                              },
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.6.2"
                              },
                              {
                                "version_affected": "\u003e=",
                                "version_value": "8.7.0"
                              },
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.7.1"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Atlassian"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "The avatar upload feature in affected versions of Atlassian Jira Server and Data Center allows remote attackers to achieve Denial of Service via a crafted PNG file. The affected versions are before version 8.5.4, from version 8.6.0 before 8.6.2, and from version 8.7.0 before 8.7.1."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Denial of Service"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://jira.atlassian.com/browse/JRASERVER-70813",
                  "refsource": "MISC",
                  "url": "https://jira.atlassian.com/browse/JRASERVER-70813"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
        "assignerShortName": "atlassian",
        "cveId": "CVE-2019-20897",
        "datePublished": "2020-07-13T00:50:11.654Z",
        "dateReserved": "2020-07-07T00:00:00.000Z",
        "dateUpdated": "2024-09-16T17:33:31.211Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-41311 (GCVE-0-2021-41311)

    Vulnerability from cvelistv5 – Published: 2021-12-08 03:35 – Updated: 2024-10-10 14:00
    VLAI
    Summary
    Affected versions of Atlassian Jira Server and Data Center allow attackers with access to an administrator account that has had its access revoked to modify projects' Users & Roles settings, via a Broken Authentication vulnerability in the /plugins/servlet/project-config/PROJECT/roles endpoint. The affected versions are before version 8.19.1.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-287 - Broken Authentication (CWE-287)
    Assigner
    References
    Impacted products
    Vendor Product Version
    Atlassian Jira Server Affected: unspecified , < 8.19.1 (custom)
    Create a notification for this product.
    Atlassian Jira Data Center Affected: unspecified , < 8.19.1 (custom)
    Create a notification for this product.
    atlassian jira_server Affected: 0 , < 8.19.1 (custom)
        cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*
    Create a notification for this product.
    atlassian jira_data_center Affected: 0 , < 8.19.1 (custom)
        cpe:2.3:a:atlassian:jira_data_center:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Date Public
    2021-10-26 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T03:08:31.998Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://jira.atlassian.com/browse/JRASERVER-72802"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "jira_server",
                "vendor": "atlassian",
                "versions": [
                  {
                    "lessThan": "8.19.1",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:a:atlassian:jira_data_center:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "jira_data_center",
                "vendor": "atlassian",
                "versions": [
                  {
                    "lessThan": "8.19.1",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 7.5,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "NONE",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2021-41311",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-10-10T13:57:21.858196Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-10-10T14:00:43.454Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Jira Server",
              "vendor": "Atlassian",
              "versions": [
                {
                  "lessThan": "8.19.1",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "Jira Data Center",
              "vendor": "Atlassian",
              "versions": [
                {
                  "lessThan": "8.19.1",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2021-10-26T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Affected versions of Atlassian Jira Server and Data Center allow attackers with access to an administrator account that has had its access revoked to modify projects\u0027 Users \u0026 Roles settings, via a Broken Authentication vulnerability in the /plugins/servlet/project-config/PROJECT/roles endpoint. The affected versions are before version 8.19.1."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-287",
                  "description": "Broken Authentication (CWE-287)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-12-08T03:35:11.000Z",
            "orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
            "shortName": "atlassian"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://jira.atlassian.com/browse/JRASERVER-72802"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@atlassian.com",
              "DATE_PUBLIC": "2021-10-26T00:00:00",
              "ID": "CVE-2021-41311",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Jira Server",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.19.1"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "Jira Data Center",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.19.1"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Atlassian"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Affected versions of Atlassian Jira Server and Data Center allow attackers with access to an administrator account that has had its access revoked to modify projects\u0027 Users \u0026 Roles settings, via a Broken Authentication vulnerability in the /plugins/servlet/project-config/PROJECT/roles endpoint. The affected versions are before version 8.19.1."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Broken Authentication (CWE-287)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://jira.atlassian.com/browse/JRASERVER-72802",
                  "refsource": "MISC",
                  "url": "https://jira.atlassian.com/browse/JRASERVER-72802"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
        "assignerShortName": "atlassian",
        "cveId": "CVE-2021-41311",
        "datePublished": "2021-12-08T03:35:11.838Z",
        "dateReserved": "2021-09-16T00:00:00.000Z",
        "dateUpdated": "2024-10-10T14:00:43.454Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-41309 (GCVE-0-2021-41309)

    Vulnerability from cvelistv5 – Published: 2021-12-08 03:35 – Updated: 2024-10-10 13:52
    VLAI
    Summary
    Affected versions of Atlassian Jira Server and Data Center allow a user who has had their Jira Service Management access revoked to export audit logs of another user's Jira Service Management project via a Broken Authentication vulnerability in the /plugins/servlet/audit/resource endpoint. The affected versions of Jira Server and Data Center are before version 8.19.1.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-287 - Broken Authentication (CWE-287)
    Assigner
    References
    Impacted products
    Vendor Product Version
    Atlassian Jira Server Affected: unspecified , < 8.19.1 (custom)
    Create a notification for this product.
    Atlassian Jira Data Center Affected: unspecified , < 8.19.1 (custom)
    Create a notification for this product.
    atlassian jira_server Affected: 0 , < 8.19.1 (custom)
        cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*
    Create a notification for this product.
    atlassian jira_data_center Affected: 0 , < 8.19.1 (custom)
        cpe:2.3:a:atlassian:jira_data_center:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Date Public
    2021-10-27 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T03:08:31.877Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://jira.atlassian.com/browse/JRASERVER-72803"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "jira_server",
                "vendor": "atlassian",
                "versions": [
                  {
                    "lessThan": "8.19.1",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:a:atlassian:jira_data_center:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "jira_data_center",
                "vendor": "atlassian",
                "versions": [
                  {
                    "lessThan": "8.19.1",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 5.3,
                  "baseSeverity": "MEDIUM",
                  "confidentialityImpact": "LOW",
                  "integrityImpact": "NONE",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2021-41309",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-10-10T13:48:08.586317Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-10-10T13:52:47.289Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Jira Server",
              "vendor": "Atlassian",
              "versions": [
                {
                  "lessThan": "8.19.1",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "Jira Data Center",
              "vendor": "Atlassian",
              "versions": [
                {
                  "lessThan": "8.19.1",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2021-10-27T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Affected versions of Atlassian Jira Server and Data Center allow a user who has had their Jira Service Management access revoked to export audit logs of another user\u0027s Jira Service Management project via a Broken Authentication vulnerability in the /plugins/servlet/audit/resource endpoint. The affected versions of Jira Server and Data Center are before version 8.19.1."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-287",
                  "description": "Broken Authentication (CWE-287)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-12-08T03:35:10.000Z",
            "orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
            "shortName": "atlassian"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://jira.atlassian.com/browse/JRASERVER-72803"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@atlassian.com",
              "DATE_PUBLIC": "2021-10-27T00:00:00",
              "ID": "CVE-2021-41309",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Jira Server",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.19.1"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "Jira Data Center",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.19.1"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Atlassian"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Affected versions of Atlassian Jira Server and Data Center allow a user who has had their Jira Service Management access revoked to export audit logs of another user\u0027s Jira Service Management project via a Broken Authentication vulnerability in the /plugins/servlet/audit/resource endpoint. The affected versions of Jira Server and Data Center are before version 8.19.1."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Broken Authentication (CWE-287)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://jira.atlassian.com/browse/JRASERVER-72803",
                  "refsource": "MISC",
                  "url": "https://jira.atlassian.com/browse/JRASERVER-72803"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
        "assignerShortName": "atlassian",
        "cveId": "CVE-2021-41309",
        "datePublished": "2021-12-08T03:35:10.422Z",
        "dateReserved": "2021-09-16T00:00:00.000Z",
        "dateUpdated": "2024-10-10T13:52:47.289Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-41310 (GCVE-0-2021-41310)

    Vulnerability from cvelistv5 – Published: 2021-11-01 22:55 – Updated: 2024-10-09 20:25
    VLAI
    Summary
    Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability in the Associated Projects feature (/secure/admin/AssociatedProjectsForCustomField.jspa). The affected versions are before version 8.5.19, from version 8.6.0 before 8.13.11, and from version 8.14.0 before 8.19.1.
    Severity
    No CVSS data available.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • Stored Cross-Site Scripting (SXSS)
    Assigner
    References
    Impacted products
    Vendor Product Version
    Atlassian Jira Server Affected: unspecified , < 8.5.19 (custom)
    Affected: 8.6.0 , < unspecified (custom)
    Affected: unspecified , < 8.13.11 (custom)
    Affected: 8.14.0 , < unspecified (custom)
    Affected: unspecified , < 8.19.1 (custom)
    Create a notification for this product.
    Atlassian Jira Data Center Affected: unspecified , < 8.5.19 (custom)
    Affected: 8.6.0 , < unspecified (custom)
    Affected: unspecified , < 8.13.11 (custom)
    Affected: 8.14.0 , < unspecified (custom)
    Affected: unspecified , < 8.19.1 (custom)
    Create a notification for this product.
    Date Public
    2021-10-26 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T03:08:31.865Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://jira.atlassian.com/browse/JRASERVER-72800"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2021-41310",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-10-09T20:25:21.259049Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-10-09T20:25:50.011Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Jira Server",
              "vendor": "Atlassian",
              "versions": [
                {
                  "lessThan": "8.5.19",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThan": "unspecified",
                  "status": "affected",
                  "version": "8.6.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "8.13.11",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThan": "unspecified",
                  "status": "affected",
                  "version": "8.14.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "8.19.1",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "Jira Data Center",
              "vendor": "Atlassian",
              "versions": [
                {
                  "lessThan": "8.5.19",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThan": "unspecified",
                  "status": "affected",
                  "version": "8.6.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "8.13.11",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThan": "unspecified",
                  "status": "affected",
                  "version": "8.14.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "8.19.1",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2021-10-26T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability in the Associated Projects feature (/secure/admin/AssociatedProjectsForCustomField.jspa). The affected versions are before version 8.5.19, from version 8.6.0 before 8.13.11, and from version 8.14.0 before 8.19.1."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Stored Cross-Site Scripting (SXSS)",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-11-01T22:55:09.000Z",
            "orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
            "shortName": "atlassian"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://jira.atlassian.com/browse/JRASERVER-72800"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@atlassian.com",
              "DATE_PUBLIC": "2021-10-26T00:00:00",
              "ID": "CVE-2021-41310",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Jira Server",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.5.19"
                              },
                              {
                                "version_affected": "\u003e=",
                                "version_value": "8.6.0"
                              },
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.13.11"
                              },
                              {
                                "version_affected": "\u003e=",
                                "version_value": "8.14.0"
                              },
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.19.1"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "Jira Data Center",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.5.19"
                              },
                              {
                                "version_affected": "\u003e=",
                                "version_value": "8.6.0"
                              },
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.13.11"
                              },
                              {
                                "version_affected": "\u003e=",
                                "version_value": "8.14.0"
                              },
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.19.1"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Atlassian"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability in the Associated Projects feature (/secure/admin/AssociatedProjectsForCustomField.jspa). The affected versions are before version 8.5.19, from version 8.6.0 before 8.13.11, and from version 8.14.0 before 8.19.1."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Stored Cross-Site Scripting (SXSS)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://jira.atlassian.com/browse/JRASERVER-72800",
                  "refsource": "MISC",
                  "url": "https://jira.atlassian.com/browse/JRASERVER-72800"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
        "assignerShortName": "atlassian",
        "cveId": "CVE-2021-41310",
        "datePublished": "2021-11-01T22:55:09.292Z",
        "dateReserved": "2021-09-16T00:00:00.000Z",
        "dateUpdated": "2024-10-09T20:25:50.011Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-41308 (GCVE-0-2021-41308)

    Vulnerability from cvelistv5 – Published: 2021-10-26 04:15 – Updated: 2024-10-09 19:23
    VLAI
    Summary
    Affected versions of Atlassian Jira Server and Data Center allow authenticated yet non-administrator remote attackers to edit the File Replication settings via a Broken Access Control vulnerability in the `ReplicationSettings!default.jspa` endpoint. The affected versions are before version 8.6.0, from version 8.7.0 before 8.13.12, and from version 8.14.0 before 8.20.1.
    Severity
    No CVSS data available.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-285 - Improper Authorization (CWE-285)
    Assigner
    References
    Impacted products
    Vendor Product Version
    Atlassian Jira Server Affected: unspecified , < 8.6.0 (custom)
    Affected: 8.7.0 , < unspecified (custom)
    Affected: unspecified , < 8.13.12 (custom)
    Affected: 8.14.0 , < unspecified (custom)
    Affected: unspecified , < 8.20.1 (custom)
    Create a notification for this product.
    Atlassian Jira Data Center Affected: unspecified , < 8.6.0 (custom)
    Affected: 8.7.0 , < unspecified (custom)
    Affected: unspecified , < 8.13.12 (custom)
    Affected: 8.14.0 , < unspecified (custom)
    Affected: unspecified , < 8.20.1 (custom)
    Create a notification for this product.
    Date Public
    2021-10-25 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T03:08:31.936Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://jira.atlassian.com/browse/JRASERVER-72940"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2021-41308",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-10-09T19:23:07.362491Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-10-09T19:23:22.782Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Jira Server",
              "vendor": "Atlassian",
              "versions": [
                {
                  "lessThan": "8.6.0",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThan": "unspecified",
                  "status": "affected",
                  "version": "8.7.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "8.13.12",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThan": "unspecified",
                  "status": "affected",
                  "version": "8.14.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "8.20.1",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "Jira Data Center",
              "vendor": "Atlassian",
              "versions": [
                {
                  "lessThan": "8.6.0",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThan": "unspecified",
                  "status": "affected",
                  "version": "8.7.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "8.13.12",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThan": "unspecified",
                  "status": "affected",
                  "version": "8.14.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "8.20.1",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2021-10-25T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Affected versions of Atlassian Jira Server and Data Center allow authenticated yet non-administrator remote attackers to edit the File Replication settings via a Broken Access Control vulnerability in the `ReplicationSettings!default.jspa` endpoint. The affected versions are before version 8.6.0, from version 8.7.0 before 8.13.12, and from version 8.14.0 before 8.20.1."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-285",
                  "description": "Improper Authorization (CWE-285)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-10-26T04:15:22.000Z",
            "orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
            "shortName": "atlassian"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://jira.atlassian.com/browse/JRASERVER-72940"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@atlassian.com",
              "DATE_PUBLIC": "2021-10-25T00:00:00",
              "ID": "CVE-2021-41308",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Jira Server",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.6.0"
                              },
                              {
                                "version_affected": "\u003e=",
                                "version_value": "8.7.0"
                              },
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.13.12"
                              },
                              {
                                "version_affected": "\u003e=",
                                "version_value": "8.14.0"
                              },
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.20.1"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "Jira Data Center",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.6.0"
                              },
                              {
                                "version_affected": "\u003e=",
                                "version_value": "8.7.0"
                              },
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.13.12"
                              },
                              {
                                "version_affected": "\u003e=",
                                "version_value": "8.14.0"
                              },
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.20.1"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Atlassian"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Affected versions of Atlassian Jira Server and Data Center allow authenticated yet non-administrator remote attackers to edit the File Replication settings via a Broken Access Control vulnerability in the `ReplicationSettings!default.jspa` endpoint. The affected versions are before version 8.6.0, from version 8.7.0 before 8.13.12, and from version 8.14.0 before 8.20.1."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Improper Authorization (CWE-285)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://jira.atlassian.com/browse/JRASERVER-72940",
                  "refsource": "MISC",
                  "url": "https://jira.atlassian.com/browse/JRASERVER-72940"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
        "assignerShortName": "atlassian",
        "cveId": "CVE-2021-41308",
        "datePublished": "2021-10-26T04:15:22.911Z",
        "dateReserved": "2021-09-16T00:00:00.000Z",
        "dateUpdated": "2024-10-09T19:23:22.782Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-41307 (GCVE-0-2021-41307)

    Vulnerability from cvelistv5 – Published: 2021-10-26 04:15 – Updated: 2024-10-09 19:20
    VLAI
    Summary
    Affected versions of Atlassian Jira Server and Data Center allow unauthenticated remote attackers to view the names of private projects and private filters via an Insecure Direct Object References (IDOR) vulnerability in the Workload Pie Chart Gadget. The affected versions are before version 8.13.12, and from version 8.14.0 before 8.20.0.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • Insecure Direct Object References (IDOR)
    • CWE-639 - Authorization Bypass Through User-Controlled Key
    Assigner
    References
    Impacted products
    Vendor Product Version
    Atlassian Jira Server Affected: unspecified , < 8.13.12 (custom)
    Affected: 8.14.0 , < unspecified (custom)
    Affected: unspecified , < 8.20.0 (custom)
    Create a notification for this product.
    Atlassian Jira Data Center Affected: unspecified , < 8.13.12 (custom)
    Affected: 8.14.0 , < unspecified (custom)
    Affected: unspecified , < 8.20.0 (custom)
    Create a notification for this product.
    atlassian jira_data_center Affected: 0 , < 8.13.12 (custom)
    Affected: 8.14.0 , < 8.20.0 (custom)
        cpe:2.3:a:atlassian:jira_data_center:*:*:*:*:*:*:*:*
    Create a notification for this product.
    atlassian jira_server Affected: 0 , < 8.13.12 (custom)
    Affected: 8.14.0 , < 8.20.0 (custom)
        cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Date Public
    2021-10-25 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T03:08:31.948Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://jira.atlassian.com/browse/JRASERVER-72916"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:atlassian:jira_data_center:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "jira_data_center",
                "vendor": "atlassian",
                "versions": [
                  {
                    "lessThan": "8.13.12",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  },
                  {
                    "lessThan": "8.20.0",
                    "status": "affected",
                    "version": "8.14.0",
                    "versionType": "custom"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "jira_server",
                "vendor": "atlassian",
                "versions": [
                  {
                    "lessThan": "8.13.12",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  },
                  {
                    "lessThan": "8.20.0",
                    "status": "affected",
                    "version": "8.14.0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 7.5,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "NONE",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2021-41307",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-10-09T18:22:28.141294Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-639",
                    "description": "CWE-639 Authorization Bypass Through User-Controlled Key",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-10-09T19:20:41.686Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Jira Server",
              "vendor": "Atlassian",
              "versions": [
                {
                  "lessThan": "8.13.12",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThan": "unspecified",
                  "status": "affected",
                  "version": "8.14.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "8.20.0",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "Jira Data Center",
              "vendor": "Atlassian",
              "versions": [
                {
                  "lessThan": "8.13.12",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThan": "unspecified",
                  "status": "affected",
                  "version": "8.14.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "8.20.0",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2021-10-25T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Affected versions of Atlassian Jira Server and Data Center allow unauthenticated remote attackers to view the names of private projects and private filters via an Insecure Direct Object References (IDOR) vulnerability in the Workload Pie Chart Gadget. The affected versions are before version 8.13.12, and from version 8.14.0 before 8.20.0."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Insecure Direct Object References (IDOR)",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-10-26T04:15:21.000Z",
            "orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
            "shortName": "atlassian"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://jira.atlassian.com/browse/JRASERVER-72916"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@atlassian.com",
              "DATE_PUBLIC": "2021-10-25T00:00:00",
              "ID": "CVE-2021-41307",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Jira Server",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.13.12"
                              },
                              {
                                "version_affected": "\u003e=",
                                "version_value": "8.14.0"
                              },
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.20.0"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "Jira Data Center",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.13.12"
                              },
                              {
                                "version_affected": "\u003e=",
                                "version_value": "8.14.0"
                              },
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.20.0"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Atlassian"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Affected versions of Atlassian Jira Server and Data Center allow unauthenticated remote attackers to view the names of private projects and private filters via an Insecure Direct Object References (IDOR) vulnerability in the Workload Pie Chart Gadget. The affected versions are before version 8.13.12, and from version 8.14.0 before 8.20.0."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Insecure Direct Object References (IDOR)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://jira.atlassian.com/browse/JRASERVER-72916",
                  "refsource": "MISC",
                  "url": "https://jira.atlassian.com/browse/JRASERVER-72916"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
        "assignerShortName": "atlassian",
        "cveId": "CVE-2021-41307",
        "datePublished": "2021-10-26T04:15:21.297Z",
        "dateReserved": "2021-09-16T00:00:00.000Z",
        "dateUpdated": "2024-10-09T19:20:41.686Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-41306 (GCVE-0-2021-41306)

    Vulnerability from cvelistv5 – Published: 2021-10-26 04:15 – Updated: 2024-10-09 18:21
    VLAI
    Summary
    Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to view private project and filter names via an Insecure Direct Object References (IDOR) vulnerability in the Average Time in Status Gadget. The affected versions are before version 8.13.12, and from version 8.14.0 before 8.20.0.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • Insecure Direct Object References (IDOR)
    • CWE-639 - Authorization Bypass Through User-Controlled Key
    Assigner
    References
    Impacted products
    Vendor Product Version
    Atlassian Jira Server Affected: unspecified , < 8.13.12 (custom)
    Affected: 8.14.0 , < unspecified (custom)
    Affected: unspecified , < 8.20.0 (custom)
    Create a notification for this product.
    Atlassian Jira Data Center Affected: unspecified , < 8.13.12 (custom)
    Affected: 8.14.0 , < unspecified (custom)
    Affected: unspecified , < 8.20.0 (custom)
    Create a notification for this product.
    atlassian jira_data_center Affected: 0 , < 8.13.12 (custom)
    Affected: 8.14.0 , < 8.20.0 (custom)
        cpe:2.3:a:atlassian:jira_data_center:*:*:*:*:*:*:*:*
    Create a notification for this product.
    atlassian jira_server Affected: 0 , < 8.13.12 (custom)
    Affected: 8.14.0 , < 8.20.0 (custom)
        cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Date Public
    2021-10-25 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T03:08:31.997Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://jira.atlassian.com/browse/JRASERVER-72915"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:atlassian:jira_data_center:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "jira_data_center",
                "vendor": "atlassian",
                "versions": [
                  {
                    "lessThan": "8.13.12",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  },
                  {
                    "lessThan": "8.20.0",
                    "status": "affected",
                    "version": "8.14.0",
                    "versionType": "custom"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "jira_server",
                "vendor": "atlassian",
                "versions": [
                  {
                    "lessThan": "8.13.12",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  },
                  {
                    "lessThan": "8.20.0",
                    "status": "affected",
                    "version": "8.14.0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 7.5,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "NONE",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2021-41306",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-10-09T18:17:30.707203Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-639",
                    "description": "CWE-639 Authorization Bypass Through User-Controlled Key",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-10-09T18:21:09.274Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Jira Server",
              "vendor": "Atlassian",
              "versions": [
                {
                  "lessThan": "8.13.12",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThan": "unspecified",
                  "status": "affected",
                  "version": "8.14.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "8.20.0",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "Jira Data Center",
              "vendor": "Atlassian",
              "versions": [
                {
                  "lessThan": "8.13.12",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThan": "unspecified",
                  "status": "affected",
                  "version": "8.14.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "8.20.0",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2021-10-25T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to view private project and filter names via an Insecure Direct Object References (IDOR) vulnerability in the Average Time in Status Gadget. The affected versions are before version 8.13.12, and from version 8.14.0 before 8.20.0."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Insecure Direct Object References (IDOR)",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-10-26T04:15:19.000Z",
            "orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
            "shortName": "atlassian"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://jira.atlassian.com/browse/JRASERVER-72915"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@atlassian.com",
              "DATE_PUBLIC": "2021-10-25T00:00:00",
              "ID": "CVE-2021-41306",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Jira Server",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.13.12"
                              },
                              {
                                "version_affected": "\u003e=",
                                "version_value": "8.14.0"
                              },
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.20.0"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "Jira Data Center",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.13.12"
                              },
                              {
                                "version_affected": "\u003e=",
                                "version_value": "8.14.0"
                              },
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.20.0"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Atlassian"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to view private project and filter names via an Insecure Direct Object References (IDOR) vulnerability in the Average Time in Status Gadget. The affected versions are before version 8.13.12, and from version 8.14.0 before 8.20.0."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Insecure Direct Object References (IDOR)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://jira.atlassian.com/browse/JRASERVER-72915",
                  "refsource": "MISC",
                  "url": "https://jira.atlassian.com/browse/JRASERVER-72915"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
        "assignerShortName": "atlassian",
        "cveId": "CVE-2021-41306",
        "datePublished": "2021-10-26T04:15:19.782Z",
        "dateReserved": "2021-09-16T00:00:00.000Z",
        "dateUpdated": "2024-10-09T18:21:09.274Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-41305 (GCVE-0-2021-41305)

    Vulnerability from cvelistv5 – Published: 2021-10-26 04:15 – Updated: 2024-10-09 16:52
    VLAI
    Summary
    Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to view the names of private projects and filters via an Insecure Direct Object References (IDOR) vulnerability in the Average Number of Times in Status Gadget. The affected versions are before version 8.13.12..
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • Insecure Direct Object References (IDOR)
    • CWE-639 - Authorization Bypass Through User-Controlled Key
    Assigner
    References
    Impacted products
    Vendor Product Version
    Atlassian Jira Server Affected: unspecified , < 8.13.12 (custom)
    Create a notification for this product.
    Atlassian Jira Data Center Affected: unspecified , < 8.13.12 (custom)
    Create a notification for this product.
    atlassian jira_data_center Affected: 0 , < 8.13.12 (custom)
        cpe:2.3:a:atlassian:jira_data_center:*:*:*:*:*:*:*:*
    Create a notification for this product.
    atlassian jira_server Affected: 0 , < 8.13.12 (custom)
        cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Date Public
    2021-10-25 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T03:08:32.012Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://jira.atlassian.com/browse/JRASERVER-72813"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:atlassian:jira_data_center:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "jira_data_center",
                "vendor": "atlassian",
                "versions": [
                  {
                    "lessThan": "8.13.12",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "jira_server",
                "vendor": "atlassian",
                "versions": [
                  {
                    "lessThan": "8.13.12",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 7.5,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "NONE",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2021-41305",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-10-09T16:49:26.505533Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-639",
                    "description": "CWE-639 Authorization Bypass Through User-Controlled Key",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-10-09T16:52:39.165Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Jira Server",
              "vendor": "Atlassian",
              "versions": [
                {
                  "lessThan": "8.13.12",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "Jira Data Center",
              "vendor": "Atlassian",
              "versions": [
                {
                  "lessThan": "8.13.12",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2021-10-25T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to view the names of private projects and filters via an Insecure Direct Object References (IDOR) vulnerability in the Average Number of Times in Status Gadget. The affected versions are before version 8.13.12.."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Insecure Direct Object References (IDOR)",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-10-26T04:15:18.000Z",
            "orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
            "shortName": "atlassian"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://jira.atlassian.com/browse/JRASERVER-72813"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@atlassian.com",
              "DATE_PUBLIC": "2021-10-25T00:00:00",
              "ID": "CVE-2021-41305",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Jira Server",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.13.12"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "Jira Data Center",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.13.12"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Atlassian"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to view the names of private projects and filters via an Insecure Direct Object References (IDOR) vulnerability in the Average Number of Times in Status Gadget. The affected versions are before version 8.13.12.."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Insecure Direct Object References (IDOR)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://jira.atlassian.com/browse/JRASERVER-72813",
                  "refsource": "MISC",
                  "url": "https://jira.atlassian.com/browse/JRASERVER-72813"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
        "assignerShortName": "atlassian",
        "cveId": "CVE-2021-41305",
        "datePublished": "2021-10-26T04:15:18.259Z",
        "dateReserved": "2021-09-16T00:00:00.000Z",
        "dateUpdated": "2024-10-09T16:52:39.165Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-39127 (GCVE-0-2021-39127)

    Vulnerability from cvelistv5 – Published: 2021-10-21 02:35 – Updated: 2024-10-10 16:05
    VLAI
    Summary
    Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to the query component JQL endpoint via a Broken Access Control vulnerability (BAC) vulnerability. The affected versions are before version 8.5.10, and from version 8.6.0 before 8.13.1.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • Improper Authorization
    Assigner
    References
    Impacted products
    Vendor Product Version
    Atlassian Jira Server Affected: unspecified , < 8.5.10 (custom)
    Affected: 8.6.0 , < unspecified (custom)
    Affected: unspecified , < 8.13.1 (custom)
    Create a notification for this product.
    Atlassian Jira Data Center Affected: unspecified , < 8.5.10 (custom)
    Affected: 8.6.0 , < unspecified (custom)
    Affected: unspecified , < 8.13.1 (custom)
    Create a notification for this product.
    atlassian jira_server Affected: 0 , < 8.5.10 (custom)
    Affected: 8.6.0 , < 8.13.1 (custom)
        cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*
    Create a notification for this product.
    atlassian jira_data_center Affected: 0 , < 8.5.10 (custom)
    Affected: 8.6.0 , < 8.13.1 (custom)
        cpe:2.3:a:atlassian:jira_data_center:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Date Public
    2021-09-14 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T01:58:17.643Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://jira.atlassian.com/browse/JRASERVER-72003"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "jira_server",
                "vendor": "atlassian",
                "versions": [
                  {
                    "lessThan": "8.5.10",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  },
                  {
                    "lessThan": "8.13.1",
                    "status": "affected",
                    "version": "8.6.0",
                    "versionType": "custom"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:a:atlassian:jira_data_center:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "jira_data_center",
                "vendor": "atlassian",
                "versions": [
                  {
                    "lessThan": "8.5.10",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  },
                  {
                    "lessThan": "8.13.1",
                    "status": "affected",
                    "version": "8.6.0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 5.3,
                  "baseSeverity": "MEDIUM",
                  "confidentialityImpact": "NONE",
                  "integrityImpact": "LOW",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2021-39127",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-10-10T16:01:59.411320Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-10-10T16:05:21.853Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Jira Server",
              "vendor": "Atlassian",
              "versions": [
                {
                  "lessThan": "8.5.10",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThan": "unspecified",
                  "status": "affected",
                  "version": "8.6.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "8.13.1",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "Jira Data Center",
              "vendor": "Atlassian",
              "versions": [
                {
                  "lessThan": "8.5.10",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThan": "unspecified",
                  "status": "affected",
                  "version": "8.6.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "8.13.1",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2021-09-14T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to the query component JQL endpoint via a Broken Access Control vulnerability (BAC) vulnerability. The affected versions are before version 8.5.10, and from version 8.6.0 before 8.13.1."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Improper Authorization",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-10-21T02:35:10.000Z",
            "orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
            "shortName": "atlassian"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://jira.atlassian.com/browse/JRASERVER-72003"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@atlassian.com",
              "DATE_PUBLIC": "2021-09-14T00:00:00",
              "ID": "CVE-2021-39127",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Jira Server",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.5.10"
                              },
                              {
                                "version_affected": "\u003e=",
                                "version_value": "8.6.0"
                              },
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.13.1"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "Jira Data Center",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.5.10"
                              },
                              {
                                "version_affected": "\u003e=",
                                "version_value": "8.6.0"
                              },
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.13.1"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Atlassian"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to the query component JQL endpoint via a Broken Access Control vulnerability (BAC) vulnerability. The affected versions are before version 8.5.10, and from version 8.6.0 before 8.13.1."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Improper Authorization"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://jira.atlassian.com/browse/JRASERVER-72003",
                  "refsource": "MISC",
                  "url": "https://jira.atlassian.com/browse/JRASERVER-72003"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
        "assignerShortName": "atlassian",
        "cveId": "CVE-2021-39127",
        "datePublished": "2021-10-21T02:35:10.353Z",
        "dateReserved": "2021-08-16T00:00:00.000Z",
        "dateUpdated": "2024-10-10T16:05:21.853Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2020-36236 (GCVE-0-2020-36236)

    Vulnerability from cvelistv5 – Published: 2021-02-14 23:50 – Updated: 2024-09-17 02:16
    VLAI
    Summary
    Affected versions of Atlassian Jira Server and Data Center allow remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability in the ViewWorkflowSchemes.jspa and ListWorkflows.jspa endpoints. The affected versions are before version 8.5.11, from version 8.6.0 before 8.13.3, and from version 8.14.0 before 8.15.0.
    Severity
    No CVSS data available.
    CWE
    • Cross-Site Scripting (XSS)
    Assigner
    References
    Impacted products
    Vendor Product Version
    Atlassian Jira Server Affected: unspecified , < 8.5.11 (custom)
    Affected: 8.6.0 , < unspecified (custom)
    Affected: unspecified , < 8.13.3 (custom)
    Affected: 8.14.0 , < unspecified (custom)
    Affected: unspecified , < 8.15.0 (custom)
    Create a notification for this product.
    Atlassian Jira Data Center Affected: unspecified , < 8.5.11 (custom)
    Affected: 8.6.0 , < unspecified (custom)
    Affected: unspecified , < 8.13.3 (custom)
    Affected: 8.14.0 , < unspecified (custom)
    Affected: unspecified , < 8.15.0 (custom)
    Create a notification for this product.
    Date Public
    2021-02-04 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T17:23:09.649Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://jira.atlassian.com/browse/JRASERVER-72015"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Jira Server",
              "vendor": "Atlassian",
              "versions": [
                {
                  "lessThan": "8.5.11",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThan": "unspecified",
                  "status": "affected",
                  "version": "8.6.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "8.13.3",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThan": "unspecified",
                  "status": "affected",
                  "version": "8.14.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "8.15.0",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "Jira Data Center",
              "vendor": "Atlassian",
              "versions": [
                {
                  "lessThan": "8.5.11",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThan": "unspecified",
                  "status": "affected",
                  "version": "8.6.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "8.13.3",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThan": "unspecified",
                  "status": "affected",
                  "version": "8.14.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "8.15.0",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2021-02-04T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Affected versions of Atlassian Jira Server and Data Center allow remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability in the ViewWorkflowSchemes.jspa and ListWorkflows.jspa endpoints. The affected versions are before version 8.5.11, from version 8.6.0 before 8.13.3, and from version 8.14.0 before 8.15.0."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Cross-Site Scripting (XSS)",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-02-14T23:50:13.000Z",
            "orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
            "shortName": "atlassian"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://jira.atlassian.com/browse/JRASERVER-72015"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@atlassian.com",
              "DATE_PUBLIC": "2021-02-04T00:00:00",
              "ID": "CVE-2020-36236",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Jira Server",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.5.11"
                              },
                              {
                                "version_affected": "\u003e=",
                                "version_value": "8.6.0"
                              },
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.13.3"
                              },
                              {
                                "version_affected": "\u003e=",
                                "version_value": "8.14.0"
                              },
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.15.0"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "Jira Data Center",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.5.11"
                              },
                              {
                                "version_affected": "\u003e=",
                                "version_value": "8.6.0"
                              },
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.13.3"
                              },
                              {
                                "version_affected": "\u003e=",
                                "version_value": "8.14.0"
                              },
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.15.0"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Atlassian"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Affected versions of Atlassian Jira Server and Data Center allow remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability in the ViewWorkflowSchemes.jspa and ListWorkflows.jspa endpoints. The affected versions are before version 8.5.11, from version 8.6.0 before 8.13.3, and from version 8.14.0 before 8.15.0."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Cross-Site Scripting (XSS)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://jira.atlassian.com/browse/JRASERVER-72015",
                  "refsource": "MISC",
                  "url": "https://jira.atlassian.com/browse/JRASERVER-72015"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
        "assignerShortName": "atlassian",
        "cveId": "CVE-2020-36236",
        "datePublished": "2021-02-14T23:50:13.382Z",
        "dateReserved": "2021-01-27T00:00:00.000Z",
        "dateUpdated": "2024-09-17T02:16:55.095Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2020-36235 (GCVE-0-2020-36235)

    Vulnerability from cvelistv5 – Published: 2021-02-14 23:45 – Updated: 2024-09-16 16:24
    VLAI
    Summary
    Affected versions of Atlassian Jira Server and Data Center allow unauthenticated remote attackers to view custom field and custom SLA names via an Information Disclosure vulnerability in the mobile site view. The affected versions are before version 8.13.2, and from version 8.14.0 before 8.14.1.
    Severity
    No CVSS data available.
    CWE
    • Information Disclosure
    Assigner
    References
    Impacted products
    Vendor Product Version
    Atlassian Jira Server Affected: unspecified , < 8.13.2 (custom)
    Affected: 8.14.0 , < unspecified (custom)
    Affected: unspecified , < 8.14.1 (custom)
    Create a notification for this product.
    Atlassian Jira Data Center Affected: unspecified , < 8.13.2 (custom)
    Affected: 8.14.0 , < unspecified (custom)
    Affected: unspecified , < 8.14.1 (custom)
    Create a notification for this product.
    Date Public
    2021-02-04 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T17:23:09.655Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://jira.atlassian.com/browse/JRASERVER-71950"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Jira Server",
              "vendor": "Atlassian",
              "versions": [
                {
                  "lessThan": "8.13.2",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThan": "unspecified",
                  "status": "affected",
                  "version": "8.14.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "8.14.1",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "Jira Data Center",
              "vendor": "Atlassian",
              "versions": [
                {
                  "lessThan": "8.13.2",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThan": "unspecified",
                  "status": "affected",
                  "version": "8.14.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "8.14.1",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2021-02-04T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Affected versions of Atlassian Jira Server and Data Center allow unauthenticated remote attackers to view custom field and custom SLA names via an Information Disclosure vulnerability in the mobile site view. The affected versions are before version 8.13.2, and from version 8.14.0 before 8.14.1."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Information Disclosure",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-02-14T23:45:12.000Z",
            "orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
            "shortName": "atlassian"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://jira.atlassian.com/browse/JRASERVER-71950"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@atlassian.com",
              "DATE_PUBLIC": "2021-02-04T00:00:00",
              "ID": "CVE-2020-36235",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Jira Server",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.13.2"
                              },
                              {
                                "version_affected": "\u003e=",
                                "version_value": "8.14.0"
                              },
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.14.1"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "Jira Data Center",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.13.2"
                              },
                              {
                                "version_affected": "\u003e=",
                                "version_value": "8.14.0"
                              },
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.14.1"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Atlassian"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Affected versions of Atlassian Jira Server and Data Center allow unauthenticated remote attackers to view custom field and custom SLA names via an Information Disclosure vulnerability in the mobile site view. The affected versions are before version 8.13.2, and from version 8.14.0 before 8.14.1."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Information Disclosure"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://jira.atlassian.com/browse/JRASERVER-71950",
                  "refsource": "MISC",
                  "url": "https://jira.atlassian.com/browse/JRASERVER-71950"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
        "assignerShortName": "atlassian",
        "cveId": "CVE-2020-36235",
        "datePublished": "2021-02-14T23:45:12.759Z",
        "dateReserved": "2021-01-27T00:00:00.000Z",
        "dateUpdated": "2024-09-16T16:24:07.752Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2020-36231 (GCVE-0-2020-36231)

    Vulnerability from cvelistv5 – Published: 2021-02-01 23:40 – Updated: 2024-09-16 17:14
    VLAI
    Summary
    Affected versions of Atlassian Jira Server and Data Center allow remote attackers to view the metadata of boards they should not have access to via an Insecure Direct Object References (IDOR) vulnerability. The affected versions are before version 8.5.10, and from version 8.6.0 before 8.13.2.
    Severity
    No CVSS data available.
    CWE
    • Insecure Direct Object References (IDOR)
    Assigner
    References
    Impacted products
    Vendor Product Version
    Atlassian Jira Server Affected: unspecified , < 8.5.10 (custom)
    Affected: 8.6.0 , < unspecified (custom)
    Affected: unspecified , < 8.13.2 (custom)
    Create a notification for this product.
    Atlassian Jira Data Center Affected: unspecified , < 8.5.10 (custom)
    Affected: 8.6.0 , < unspecified (custom)
    Affected: unspecified , < 8.13.2 (custom)
    Create a notification for this product.
    Date Public
    2021-01-21 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T17:23:09.962Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://jira.atlassian.com/browse/JRASERVER-72002"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Jira Server",
              "vendor": "Atlassian",
              "versions": [
                {
                  "lessThan": "8.5.10",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThan": "unspecified",
                  "status": "affected",
                  "version": "8.6.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "8.13.2",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            },
            {
              "product": "Jira Data Center",
              "vendor": "Atlassian",
              "versions": [
                {
                  "lessThan": "8.5.10",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThan": "unspecified",
                  "status": "affected",
                  "version": "8.6.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "8.13.2",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2021-01-21T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Affected versions of Atlassian Jira Server and Data Center allow remote attackers to view the metadata of boards they should not have access to via an Insecure Direct Object References (IDOR) vulnerability. The affected versions are before version 8.5.10, and from version 8.6.0 before 8.13.2."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Insecure Direct Object References (IDOR)",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-02-01T23:40:12.000Z",
            "orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
            "shortName": "atlassian"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://jira.atlassian.com/browse/JRASERVER-72002"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@atlassian.com",
              "DATE_PUBLIC": "2021-01-21T00:00:00",
              "ID": "CVE-2020-36231",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Jira Server",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.5.10"
                              },
                              {
                                "version_affected": "\u003e=",
                                "version_value": "8.6.0"
                              },
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.13.2"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "Jira Data Center",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.5.10"
                              },
                              {
                                "version_affected": "\u003e=",
                                "version_value": "8.6.0"
                              },
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.13.2"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Atlassian"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Affected versions of Atlassian Jira Server and Data Center allow remote attackers to view the metadata of boards they should not have access to via an Insecure Direct Object References (IDOR) vulnerability. The affected versions are before version 8.5.10, and from version 8.6.0 before 8.13.2."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Insecure Direct Object References (IDOR)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://jira.atlassian.com/browse/JRASERVER-72002",
                  "refsource": "MISC",
                  "url": "https://jira.atlassian.com/browse/JRASERVER-72002"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
        "assignerShortName": "atlassian",
        "cveId": "CVE-2020-36231",
        "datePublished": "2021-02-01T23:40:12.974Z",
        "dateReserved": "2021-01-27T00:00:00.000Z",
        "dateUpdated": "2024-09-16T17:14:09.087Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2020-14178 (GCVE-0-2020-14178)

    Vulnerability from cvelistv5 – Published: 2020-09-01 04:25 – Updated: 2024-09-16 22:45
    VLAI
    Summary
    Affected versions of Atlassian Jira Server and Data Center allow remote attackers to enumerate project keys via an Information Disclosure vulnerability in the /browse.PROJECTKEY endpoint. The affected versions are before version 7.13.7, from version 8.0.0 before 8.5.8, and from version 8.6.0 before 8.12.0.
    Severity
    No CVSS data available.
    CWE
    • Information Disclosure
    Assigner
    References
    Impacted products
    Vendor Product Version
    Atlassian Jira Server Affected: unspecified , < 7.13.17 (custom)
    Affected: 8.0.0 , < unspecified (custom)
    Affected: unspecified , < 8.5.8 (custom)
    Affected: 8.6.0 , < unspecified (custom)
    Affected: unspecified , < 8.12.0 (custom)
    Create a notification for this product.
    Date Public
    2020-09-01 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T12:39:36.164Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://jira.atlassian.com/browse/JRASERVER-71498"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Jira Server",
              "vendor": "Atlassian",
              "versions": [
                {
                  "lessThan": "7.13.17",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThan": "unspecified",
                  "status": "affected",
                  "version": "8.0.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "8.5.8",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThan": "unspecified",
                  "status": "affected",
                  "version": "8.6.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "8.12.0",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2020-09-01T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Affected versions of Atlassian Jira Server and Data Center allow remote attackers to enumerate project keys via an Information Disclosure vulnerability in the /browse.PROJECTKEY endpoint. The affected versions are before version 7.13.7, from version 8.0.0 before 8.5.8, and from version 8.6.0 before 8.12.0."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Information Disclosure",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2020-09-01T04:25:13.000Z",
            "orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
            "shortName": "atlassian"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://jira.atlassian.com/browse/JRASERVER-71498"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@atlassian.com",
              "DATE_PUBLIC": "2020-09-01T00:00:00",
              "ID": "CVE-2020-14178",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Jira Server",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "7.13.17"
                              },
                              {
                                "version_affected": "\u003e=",
                                "version_value": "8.0.0"
                              },
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.5.8"
                              },
                              {
                                "version_affected": "\u003e=",
                                "version_value": "8.6.0"
                              },
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.12.0"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Atlassian"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Affected versions of Atlassian Jira Server and Data Center allow remote attackers to enumerate project keys via an Information Disclosure vulnerability in the /browse.PROJECTKEY endpoint. The affected versions are before version 7.13.7, from version 8.0.0 before 8.5.8, and from version 8.6.0 before 8.12.0."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Information Disclosure"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://jira.atlassian.com/browse/JRASERVER-71498",
                  "refsource": "MISC",
                  "url": "https://jira.atlassian.com/browse/JRASERVER-71498"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
        "assignerShortName": "atlassian",
        "cveId": "CVE-2020-14178",
        "datePublished": "2020-09-01T04:25:13.421Z",
        "dateReserved": "2020-06-16T00:00:00.000Z",
        "dateUpdated": "2024-09-16T22:45:49.594Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2020-14174 (GCVE-0-2020-14174)

    Vulnerability from cvelistv5 – Published: 2020-07-13 04:45 – Updated: 2024-09-16 20:31
    VLAI
    Summary
    Affected versions of Atlassian Jira Server and Data Center allow remote attackers to view titles of a private project via an Insecure Direct Object References (IDOR) vulnerability in the Administration Permission Helper. The affected versions are before version 7.13.6, from version 8.0.0 before 8.5.7, from version 8.6.0 before 8.9.2, and from version 8.10.0 before 8.10.1.
    Severity
    No CVSS data available.
    CWE
    • Insecure Direct Object References (IDOR)
    Assigner
    References
    Impacted products
    Vendor Product Version
    Atlassian Jira Server Affected: unspecified , < 7.13.6 (custom)
    Affected: 8.0.0 , < unspecified (custom)
    Affected: unspecified , < 8.5.7 (custom)
    Affected: 8.6.0 , < unspecified (custom)
    Affected: unspecified , < 8.9.2 (custom)
    Affected: 8.10.0 , < unspecified (custom)
    Affected: unspecified , < 8.10.1 (custom)
    Create a notification for this product.
    Date Public
    2020-07-08 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T12:39:36.196Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://jira.atlassian.com/browse/JRASERVER-71275"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Jira Server",
              "vendor": "Atlassian",
              "versions": [
                {
                  "lessThan": "7.13.6",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThan": "unspecified",
                  "status": "affected",
                  "version": "8.0.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "8.5.7",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThan": "unspecified",
                  "status": "affected",
                  "version": "8.6.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "8.9.2",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThan": "unspecified",
                  "status": "affected",
                  "version": "8.10.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "8.10.1",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2020-07-08T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Affected versions of Atlassian Jira Server and Data Center allow remote attackers to view titles of a private project via an Insecure Direct Object References (IDOR) vulnerability in the Administration Permission Helper. The affected versions are before version 7.13.6, from version 8.0.0 before 8.5.7, from version 8.6.0 before 8.9.2, and from version 8.10.0 before 8.10.1."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Insecure Direct Object References (IDOR)",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2020-07-13T04:45:13.000Z",
            "orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
            "shortName": "atlassian"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://jira.atlassian.com/browse/JRASERVER-71275"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@atlassian.com",
              "DATE_PUBLIC": "2020-07-08T00:00:00",
              "ID": "CVE-2020-14174",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Jira Server",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "7.13.6"
                              },
                              {
                                "version_affected": "\u003e=",
                                "version_value": "8.0.0"
                              },
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.5.7"
                              },
                              {
                                "version_affected": "\u003e=",
                                "version_value": "8.6.0"
                              },
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.9.2"
                              },
                              {
                                "version_affected": "\u003e=",
                                "version_value": "8.10.0"
                              },
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.10.1"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Atlassian"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Affected versions of Atlassian Jira Server and Data Center allow remote attackers to view titles of a private project via an Insecure Direct Object References (IDOR) vulnerability in the Administration Permission Helper. The affected versions are before version 7.13.6, from version 8.0.0 before 8.5.7, from version 8.6.0 before 8.9.2, and from version 8.10.0 before 8.10.1."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Insecure Direct Object References (IDOR)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://jira.atlassian.com/browse/JRASERVER-71275",
                  "refsource": "MISC",
                  "url": "https://jira.atlassian.com/browse/JRASERVER-71275"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
        "assignerShortName": "atlassian",
        "cveId": "CVE-2020-14174",
        "datePublished": "2020-07-13T04:45:13.167Z",
        "dateReserved": "2020-06-16T00:00:00.000Z",
        "dateUpdated": "2024-09-16T20:31:56.101Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2019-20899 (GCVE-0-2019-20899)

    Vulnerability from cvelistv5 – Published: 2020-07-13 01:00 – Updated: 2024-09-17 00:41
    VLAI
    Summary
    The Gadget API in Atlassian Jira Server and Data Center in affected versions allows remote attackers to make Jira unresponsive via repeated requests to a certain endpoint in the Gadget API. The affected versions are before version 8.5.4, and from version 8.6.0 before 8.6.1.
    Severity
    No CVSS data available.
    CWE
    • Denial of Service
    Assigner
    References
    Impacted products
    Vendor Product Version
    Atlassian Jira Server Affected: unspecified , < 8.5.4 (custom)
    Affected: 8.6.0 , < unspecified (custom)
    Affected: unspecified , < 8.6.1 (custom)
    Create a notification for this product.
    Date Public
    2020-03-23 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-05T02:53:09.541Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://jira.atlassian.com/browse/JRASERVER-70808"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Jira Server",
              "vendor": "Atlassian",
              "versions": [
                {
                  "lessThan": "8.5.4",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThan": "unspecified",
                  "status": "affected",
                  "version": "8.6.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "8.6.1",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2020-03-23T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "The Gadget API in Atlassian Jira Server and Data Center in affected versions allows remote attackers to make Jira unresponsive via repeated requests to a certain endpoint in the Gadget API. The affected versions are before version 8.5.4, and from version 8.6.0 before 8.6.1."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Denial of Service",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2020-07-13T01:00:16.000Z",
            "orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
            "shortName": "atlassian"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://jira.atlassian.com/browse/JRASERVER-70808"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@atlassian.com",
              "DATE_PUBLIC": "2020-03-23T00:00:00",
              "ID": "CVE-2019-20899",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Jira Server",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.5.4"
                              },
                              {
                                "version_affected": "\u003e=",
                                "version_value": "8.6.0"
                              },
                              {
                                "version_affected": "\u003c",
                                "version_value": "8.6.1"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Atlassian"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "The Gadget API in Atlassian Jira Server and Data Center in affected versions allows remote attackers to make Jira unresponsive via repeated requests to a certain endpoint in the Gadget API. The affected versions are before version 8.5.4, and from version 8.6.0 before 8.6.1."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Denial of Service"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://jira.atlassian.com/browse/JRASERVER-70808",
                  "refsource": "MISC",
                  "url": "https://jira.atlassian.com/browse/JRASERVER-70808"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
        "assignerShortName": "atlassian",
        "cveId": "CVE-2019-20899",
        "datePublished": "2020-07-13T01:00:16.851Z",
        "dateReserved": "2020-07-07T00:00:00.000Z",
        "dateUpdated": "2024-09-17T00:41:28.244Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }