CVE-2021-39119

CWE-863 — Incorrect Authorization CWE-287 — Improper Authentication3 documents3 sources

Severity

5.3MEDIUM

EPSS

0.2%

top 59.71%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Atlassian Jira Data Center Atlassian Jira Server Atlassian Data Center +1 more

Timeline

PublishedSep 1

Latest updateMay 24

Description

Affected versions of Atlassian Jira Server and Data Center allow users who have watched an issue to continue receiving updates on the issue even after their Jira account is revoked, via a Broken Access Control vulnerability in the issue notification feature. The affected versions are before version 8.19.0.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages4 packages

▶CVEListV5atlassian/jira_data_centerunspecified — 8.19.0

▶CVEListV5atlassian/jira_serverunspecified — 8.19.0

▶NVDatlassian/jira< 8.19.0

▶NVDatlassian/data_center< 8.19.0

🔴Vulnerability Details

GHSA

GHSA-jw43-345w-92rc: Affected versions of Atlassian Jira Server and Data Center allow users who have watched an issue to continue receiving updates on the issue even after↗2022-05-24

▶

CVEList

CVE-2021-39119: Affected versions of Atlassian Jira Server and Data Center allow users who have watched an issue to continue receiving updates on the issue even after↗2021-09-01

▶