7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
h3. Issue Summary
Jira is affected by Tomcat CVE-2021-42340 - Denial of service via an OutOfMemoryError (Base Score: 7.5 HIGH)
bq. The fix for bug 63362 introduced a memory leak. The object introduced to collect metrics for HTTP upgrade connections was not released for WebSocket connections once the WebSocket connection was closed. This created a memory leak that, over time, could lead to a denial of service via an OutOfMemoryError.
The recently disclosed vulnerability regarding Tomcat [CVE-2021-42340|https://nvd.nist.gov/vuln/detail/CVE-2021-42340] affects the following versions:
Mitigation:
Users of the affected versions should apply one of the following mitigations:
h3. Steps to Reproduce
See more at: [https://nvd.nist.gov/vuln/detail/CVE-2021-42340] and [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42340]
h3. Expected Results
h3. Actual Results
Affected Jira versions:
8.15 to 8.19
h3. Workaround
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P