CVE-2021-26071

CWE-352Cross-Site Request Forgery (CSRF)3 documents3 sources
Severity
3.5LOW
EPSS
0.1%
top 69.97%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
Atlassian Jira Data CenterAtlassian Jira ServerAtlassian Data Center+1 more
Timeline
PublishedApr 1
Latest updateMay 24

Description

The SetFeatureEnabled.jspa resource in Jira Server and Data Center before version 8.5.13, from version 8.6.0 before version 8.13.5, and from version 8.14.0 before version 8.15.1 allows remote anonymous attackers to enable and disable Jira Software configuration via a cross-site request forgery (CSRF) vulnerability.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:NExploitability: 2.1 | Impact: 1.4

Affected Packages6 packages

CVEListV5atlassian/jira_data_centerunspecified8.5.13+4
NVDatlassian/jira_data_center8.6.08.13.5+1
CVEListV5atlassian/jira_serverunspecified8.5.13+4
NVDatlassian/jira_server8.6.08.13.5+1
NVDatlassian/jira< 8.5.13

Patches

Patch: jira.atlassian.comPatch: jira.atlassian.com

🔴Vulnerability Details

2
GHSA
GHSA-3v9q-ffv3-hg8c: The SetFeatureEnabled2022-05-24
CVEList
CVE-2021-26071: The SetFeatureEnabled2021-04-01
CVE-2021-26071 (LOW CVSS 3.5) | The SetFeatureEnabled.jspa resource | cvebase.io