CVE-2021-39113

CWE-613 — Insufficient Session Expiration3 documents3 sources

Severity

7.5HIGH

EPSS

0.3%

top 45.48%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Atlassian Jira Data Center Atlassian Jira Server Atlassian Data Center +1 more

Timeline

PublishedAug 30

Latest updateMay 24

Description

Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to continue to view cached content even after losing permissions, via a Broken Access Control vulnerability in the allowlist feature. The affected versions are before version 8.13.9, and from version 8.14.0 before 8.18.0.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages6 packages

▶CVEListV5atlassian/jira_data_centerunspecified — 8.13.9+2

▶NVDatlassian/jira_data_center8.14.0 — 8.18.0

▶CVEListV5atlassian/jira_serverunspecified — 8.13.9+2

▶NVDatlassian/data_center< 8.13.9

▶NVDatlassian/jira_server8.14.0 — 8.18.0

🔴Vulnerability Details

GHSA

GHSA-h2f3-6hhf-j7cc: Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to continue to view cached content even after losing permi↗2022-05-24

▶

CVEList

CVE-2021-39113: Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to continue to view cached content even after losing permi↗2021-08-30

▶