Anonymous users are able to view user information through the /rest/api/2/search endpoint - CVE-2021-39122

Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to view users’ emails via an Information Disclosure vulnerability in the /rest/api/2/search endpoint.

The affected versions are before version 8.5.13, from version 8.6.0 before 8.13.5, and from version 8.14.0 before 8.15.1.

Affected versions:

• version < 8.5.13
• 8.6.0 ≤ version < 8.13.5
• 8.14.0 ≤ version < 8.15.1

Fixed versions:

• 8.5.13
• 8.13.5
• 8.15.1
• 8.16.0