CVE-2021-39127

CWE-668 — Exposure to Wrong Sphere3 documents3 sources

Severity

5.3MEDIUM

EPSS

0.3%

top 47.44%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Atlassian Jira Data Center Atlassian Jira Server Atlassian Jira +1 more

Timeline

PublishedOct 21

Latest updateMay 24

Description

Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to the query component JQL endpoint via a Broken Access Control vulnerability (BAC) vulnerability. The affected versions are before version 8.5.10, and from version 8.6.0 before 8.13.1.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages6 packages

▶CVEListV5atlassian/jira_data_centerunspecified — 8.5.10+2

▶NVDatlassian/jira_data_center8.6.0 — 8.13.1

▶NVDatlassian/jira_software_data_center< 8.5.10

▶CVEListV5atlassian/jira_serverunspecified — 8.5.10+2

▶NVDatlassian/jira_server8.6.0 — 8.13.1

Patches

Patch: jira.atlassian.com ↗Patch: jira.atlassian.com ↗

🔴Vulnerability Details

GHSA

GHSA-wwr3-qq72-5vcc: Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to the query component JQL endpoint via a Broken Access Co↗2022-05-24

▶

CVEList

CVE-2021-39127: Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to the query component JQL endpoint via a Broken Access Co↗2021-10-21

▶