CVE-2021-39113 (GCVE-0-2021-39113)
Vulnerability from cvelistv5 – Published: 2021-08-30 06:30 – Updated: 2024-10-11 19:09
VLAI?
Summary
Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to continue to view cached content even after losing permissions, via a Broken Access Control vulnerability in the allowlist feature. The affected versions are before version 8.13.9, and from version 8.14.0 before 8.18.0.
Severity ?
7.5 (High)
CWE
- Broken Access Control
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Atlassian | Jira Server |
Affected:
unspecified , < 8.13.9
(custom)
Affected: 8.14.0 , < unspecified (custom) Affected: unspecified , < 8.18.0 (custom) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T01:58:17.748Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-72573"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "jira_server",
"vendor": "atlassian",
"versions": [
{
"lessThan": "8.13.9",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "8.18.0",
"status": "affected",
"version": "8.14.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:atlassian:jira_data_center:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "jira_data_center",
"vendor": "atlassian",
"versions": [
{
"lessThan": "8.13.9",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "8.18.0",
"status": "affected",
"version": "8.14.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2021-39113",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-11T19:00:18.342826Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-613",
"description": "CWE-613 Insufficient Session Expiration",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-11T19:09:34.976Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Jira Server",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "8.13.9",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.14.0",
"versionType": "custom"
},
{
"lessThan": "8.18.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Jira Data Center",
"vendor": "Atlassian",
"versions": [
{
"lessThan": "8.13.9",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "8.14.0",
"versionType": "custom"
},
{
"lessThan": "8.18.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2021-08-30T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to continue to view cached content even after losing permissions, via a Broken Access Control vulnerability in the allowlist feature. The affected versions are before version 8.13.9, and from version 8.14.0 before 8.18.0."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Broken Access Control",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-08-30T06:30:17",
"orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"shortName": "atlassian"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.atlassian.com/browse/JRASERVER-72573"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@atlassian.com",
"DATE_PUBLIC": "2021-08-30T00:00:00",
"ID": "CVE-2021-39113",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Jira Server",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "8.13.9"
},
{
"version_affected": "\u003e=",
"version_value": "8.14.0"
},
{
"version_affected": "\u003c",
"version_value": "8.18.0"
}
]
}
},
{
"product_name": "Jira Data Center",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "8.13.9"
},
{
"version_affected": "\u003e=",
"version_value": "8.14.0"
},
{
"version_affected": "\u003c",
"version_value": "8.18.0"
}
]
}
}
]
},
"vendor_name": "Atlassian"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to continue to view cached content even after losing permissions, via a Broken Access Control vulnerability in the allowlist feature. The affected versions are before version 8.13.9, and from version 8.14.0 before 8.18.0."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Broken Access Control"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jira.atlassian.com/browse/JRASERVER-72573",
"refsource": "MISC",
"url": "https://jira.atlassian.com/browse/JRASERVER-72573"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
"assignerShortName": "atlassian",
"cveId": "CVE-2021-39113",
"datePublished": "2021-08-30T06:30:17.310271Z",
"dateReserved": "2021-08-16T00:00:00",
"dateUpdated": "2024-10-11T19:09:34.976Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2021-39113\",\"sourceIdentifier\":\"security@atlassian.com\",\"published\":\"2021-08-30T07:15:06.737\",\"lastModified\":\"2024-11-21T06:18:35.783\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to continue to view cached content even after losing permissions, via a Broken Access Control vulnerability in the allowlist feature. The affected versions are before version 8.13.9, and from version 8.14.0 before 8.18.0.\"},{\"lang\":\"es\",\"value\":\"Unas versiones afectadas de Atlassian Jira Server y Data Center permiten a atacantes remotos an\u00f3nimos seguir visualizando el contenido en cach\u00e9 incluso despu\u00e9s de perder los permisos, por medio de una vulnerabilidad de Control de Acceso Roto en la funcionalidad allowlist. Las versiones afectadas son versiones anteriores a 8.13.9, y desde versiones 8.14.0 anteriores a 8.18.0.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6},{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:N/C:P/I:N/A:N\",\"baseScore\":5.0,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":10.0,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-613\"}]},{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-613\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:atlassian:data_center:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"8.13.9\",\"matchCriteriaId\":\"0A6F7F6F-1C16-4769-BE9F-C57C1F148938\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:atlassian:jira:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"8.13.9\",\"matchCriteriaId\":\"006A3D1F-F4A6-4971-9A69-30ACE29022D7\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:atlassian:jira_data_center:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"8.14.0\",\"versionEndExcluding\":\"8.18.0\",\"matchCriteriaId\":\"0DB8777E-BFA3-4194-880B-3291A57A40C7\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"8.14.0\",\"versionEndExcluding\":\"8.18.0\",\"matchCriteriaId\":\"0503EF7F-EEDD-4D97-810F-D8C46FDBE0E3\"}]}]}],\"references\":[{\"url\":\"https://jira.atlassian.com/browse/JRASERVER-72573\",\"source\":\"security@atlassian.com\",\"tags\":[\"Issue Tracking\",\"Vendor Advisory\"]},{\"url\":\"https://jira.atlassian.com/browse/JRASERVER-72573\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Issue Tracking\",\"Vendor Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"cna\": {\"affected\": [{\"product\": \"Jira Server\", \"vendor\": \"Atlassian\", \"versions\": [{\"lessThan\": \"8.13.9\", \"status\": \"affected\", \"version\": \"unspecified\", \"versionType\": \"custom\"}, {\"lessThan\": \"unspecified\", \"status\": \"affected\", \"version\": \"8.14.0\", \"versionType\": \"custom\"}, {\"lessThan\": \"8.18.0\", \"status\": \"affected\", \"version\": \"unspecified\", \"versionType\": \"custom\"}]}, {\"product\": \"Jira Data Center\", \"vendor\": \"Atlassian\", \"versions\": [{\"lessThan\": \"8.13.9\", \"status\": \"affected\", \"version\": \"unspecified\", \"versionType\": \"custom\"}, {\"lessThan\": \"unspecified\", \"status\": \"affected\", \"version\": \"8.14.0\", \"versionType\": \"custom\"}, {\"lessThan\": \"8.18.0\", \"status\": \"affected\", \"version\": \"unspecified\", \"versionType\": \"custom\"}]}], \"datePublic\": \"2021-08-30T00:00:00\", \"descriptions\": [{\"lang\": \"en\", \"value\": \"Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to continue to view cached content even after losing permissions, via a Broken Access Control vulnerability in the allowlist feature. The affected versions are before version 8.13.9, and from version 8.14.0 before 8.18.0.\"}], \"problemTypes\": [{\"descriptions\": [{\"description\": \"Broken Access Control\", \"lang\": \"en\", \"type\": \"text\"}]}], \"providerMetadata\": {\"dateUpdated\": \"2021-08-30T06:30:17\", \"orgId\": \"f08a6ab8-ed46-4c22-8884-d911ccfe3c66\", \"shortName\": \"atlassian\"}, \"references\": [{\"tags\": [\"x_refsource_MISC\"], \"url\": \"https://jira.atlassian.com/browse/JRASERVER-72573\"}], \"x_legacyV4Record\": {\"CVE_data_meta\": {\"ASSIGNER\": \"security@atlassian.com\", \"DATE_PUBLIC\": \"2021-08-30T00:00:00\", \"ID\": \"CVE-2021-39113\", \"STATE\": \"PUBLIC\"}, \"affects\": {\"vendor\": {\"vendor_data\": [{\"product\": {\"product_data\": [{\"product_name\": \"Jira Server\", \"version\": {\"version_data\": [{\"version_affected\": \"\u003c\", \"version_value\": \"8.13.9\"}, {\"version_affected\": \"\u003e=\", \"version_value\": \"8.14.0\"}, {\"version_affected\": \"\u003c\", \"version_value\": \"8.18.0\"}]}}, {\"product_name\": \"Jira Data Center\", \"version\": {\"version_data\": [{\"version_affected\": \"\u003c\", \"version_value\": \"8.13.9\"}, {\"version_affected\": \"\u003e=\", \"version_value\": \"8.14.0\"}, {\"version_affected\": \"\u003c\", \"version_value\": \"8.18.0\"}]}}]}, \"vendor_name\": \"Atlassian\"}]}}, \"data_format\": \"MITRE\", \"data_type\": \"CVE\", \"data_version\": \"4.0\", \"description\": {\"description_data\": [{\"lang\": \"eng\", \"value\": \"Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to continue to view cached content even after losing permissions, via a Broken Access Control vulnerability in the allowlist feature. The affected versions are before version 8.13.9, and from version 8.14.0 before 8.18.0.\"}]}, \"problemtype\": {\"problemtype_data\": [{\"description\": [{\"lang\": \"eng\", \"value\": \"Broken Access Control\"}]}]}, \"references\": {\"reference_data\": [{\"name\": \"https://jira.atlassian.com/browse/JRASERVER-72573\", \"refsource\": \"MISC\", \"url\": \"https://jira.atlassian.com/browse/JRASERVER-72573\"}]}}}, \"adp\": [{\"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-04T01:58:17.748Z\"}, \"title\": \"CVE Program Container\", \"references\": [{\"tags\": [\"x_refsource_MISC\", \"x_transferred\"], \"url\": \"https://jira.atlassian.com/browse/JRASERVER-72573\"}]}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 7.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2021-39113\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-10-11T19:00:18.342826Z\"}}}], \"affected\": [{\"cpes\": [\"cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*\"], \"vendor\": \"atlassian\", \"product\": \"jira_server\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"8.13.9\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"8.14.0\", \"lessThan\": \"8.18.0\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unknown\"}, {\"cpes\": [\"cpe:2.3:a:atlassian:jira_data_center:*:*:*:*:*:*:*:*\"], \"vendor\": \"atlassian\", \"product\": \"jira_data_center\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"8.13.9\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"8.14.0\", \"lessThan\": \"8.18.0\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unknown\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-613\", \"description\": \"CWE-613 Insufficient Session Expiration\"}]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-10-11T19:01:56.591Z\"}}]}",
"cveMetadata": "{\"assignerOrgId\": \"f08a6ab8-ed46-4c22-8884-d911ccfe3c66\", \"assignerShortName\": \"atlassian\", \"cveId\": \"CVE-2021-39113\", \"datePublished\": \"2021-08-30T06:30:17.310271Z\", \"dateReserved\": \"2021-08-16T00:00:00\", \"dateUpdated\": \"2024-10-11T19:09:34.976Z\", \"state\": \"PUBLISHED\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…