⚠ Actively exploited
Added to CISA KEV on 2024-11-12. Federal agencies required to patch by 2024-12-03. Required action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable..
CVE-2021-26086
Severity
5.3MEDIUM
EPSS
94.2%
top 0.08%
CISA KEV
KEV
Added 2024-11-12
Due 2024-12-03
Exploit
Exploited in wild
Active exploitation observed
Affected products
Timeline
PublishedAug 16
KEV addedNov 12
KEV dueDec 3
CISA Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Description
Affected versions of Atlassian Jira Server and Data Center allow remote attackers to read particular files via a path traversal vulnerability in the /WEB-INF/web.xml endpoint. The affected versions are before version 8.5.14, from version 8.6.0 before 8.13.6, and from version 8.14.0 before 8.16.1.
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NExploitability: 3.9 | Impact: 1.4
Affected Packages4 packages
🔴Vulnerability Details
3GHSA▶
GHSA-vvhj-8w7x-qj58: Affected versions of Atlassian Jira Server and Data Center allow remote attackers to read particular files via a path traversal vulnerability in the /↗2022-05-24
CVEList▶
CVE-2021-26086: Affected versions of Atlassian Jira Server and Data Center allow remote attackers to read particular files via a path traversal vulnerability in the /↗2021-08-16
💥Exploits & PoCs
2Nuclei▶
Atlassian Jira Limited - Local File Inclusion