CVE-2021-26076 — Atlassian Jira Data Center vulnerability

3 documents3 sources

Severity

3.7LOWNVD

EPSS

0.2%

top 56.05%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Atlassian Jira Data Center Atlassian Jira Server Atlassian Data Center +1 more

Timeline

PublishedApr 15

Latest updateMay 24

Description

The jira.editor.user.mode cookie set by the Jira Editor Plugin in Jira Server and Data Center before version 8.5.12, from version 8.6.0 before version 8.13.4, and from version 8.14.0 before version 8.15.0 allows remote anonymous attackers who can perform an attacker in the middle attack to learn which mode a user is editing in due to the cookie not being set with a secure attribute if Jira was configured to use https.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:NExploitability: 2.2 | Impact: 1.4

Affected Packages6 packages

▶CVEListV5atlassian/jira_data_centerunspecified — 8.5.12+4

▶NVDatlassian/jira_data_center8.6.0 — 8.13.4+1

▶CVEListV5atlassian/jira_serverunspecified — 8.5.12+4

▶NVDatlassian/jira_server8.6.0 — 8.13.4+1

▶NVDatlassian/jira< 8.5.12

Patches

Patch: jira.atlassian.com ↗Patch: jira.atlassian.com ↗

🔴Vulnerability Details

GHSA

GHSA-878x-rm8q-c4xm: The jira↗2022-05-24

▶

CVEList

CVE-2021-26076: The jira↗2021-04-14

▶