Lucene search

K
atlassianSecurity-metrics-botATLASSIAN:JRASERVER-72695
HistoryAug 12, 2021 - 3:49 a.m.

Limited Remote File Read in Jira Software Server - CVE-2021-26086

2021-08-1203:49:00
security-metrics-bot
jira.atlassian.com
67

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

Affected versions of Atlassian Jira Server and Data Center allow remote attackers to read particular files via a path traversal vulnerability in the /WEB-INF/web.xml endpoint.

The affected versions are before version 8.5.14, from version 8.6.0 before 8.13.6, and from version 8.14.0 before 8.16.1.

Affected versions:

  • version < 8.5.14
  • 8.6.0 ≤ version < 8.13.6
  • 8.14.0 ≤ version < 8.16.1

Fixed versions:

  • 8.5.14
  • 8.13.6
  • 8.16.1
  • 8.17.0

h4. Mitigation
Until the upgrade you may use the following workaround to protect the files:
https://confluence.atlassian.com/jirakb/workaround-for-cve-2019-15004-979416164.html

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N