Lucene search

K
atlassianSecurity-metrics-botJSDSERVER-10982
HistoryDec 22, 2021 - 3:14 a.m.

An unauthorized user can view private objects via the Custom Fields feature - CVE-2021-43949

2021-12-2203:14:08
security-metrics-bot
jira.atlassian.com
25

4.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

4 Medium

CVSS2

Access Vector

Access Complexity

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:S/C:P/I:N/A:N

0.001 Low

EPSS

Percentile

35.3%

Affected versions of Atlassian Jira Service Management Server and Data Center allow authenticated remote attackers to view private objects via a Broken Access Control vulnerability in the Custom Fields feature.

The affected versions are before version 4.21.0.

Affected versions:

  • version < 4.21.0

Fixed versions:

  • 4.21.0

Affected configurations

Vulners
Node
atlassianjira_data_centerRange4.20.0
OR
atlassianjira_data_centerRange<4.21.0
OR
atlassianjira_data_centerRange<4.20.4

4.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

4 Medium

CVSS2

Access Vector

Access Complexity

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:S/C:P/I:N/A:N

0.001 Low

EPSS

Percentile

35.3%

Related for JSDSERVER-10982