CVE-2021-26076
Published on: 04/14/2021 12:00:00 AM UTC
Last Modified on: 03/30/2022 01:29:00 PM UTC
Certain versions of Data Center from Atlassian contain the following vulnerability:
The jira.editor.user.mode cookie set by the Jira Editor Plugin in Jira Server and Data Center before version 8.5.12, from version 8.6.0 before version 8.13.4, and from version 8.14.0 before version 8.15.0 allows remote anonymous attackers who can perform an attacker in the middle attack to learn which mode a user is editing in due to the cookie not being set with a secure attribute if Jira was configured to use https.
- CVE-2021-26076 has been assigned by
securit[email protected] to track the vulnerability - currently rated as LOW severity.
CVSS3 Score: 3.7 - LOW
Attack Vector ⓘ |
Attack Complexity |
Privileges Required |
User Interaction |
---|---|---|---|
NETWORK | HIGH | NONE | NONE |
Scope | Confidentiality Impact |
Integrity Impact |
Availability Impact |
UNCHANGED | LOW | NONE | NONE |
CVSS2 Score: 4.3 - MEDIUM
Access Vector ⓘ |
Access Complexity |
Authentication |
---|---|---|
NETWORK | MEDIUM | NONE |
Confidentiality Impact |
Integrity Impact |
Availability Impact |
PARTIAL | NONE | NONE |
CVE References
Description | Tags ⓘ | Link |
---|---|---|
[JRASERVER-72252] jira.editor.user.mode cookie missing the secure attribute when Jira is configured with https - CVE-2021-26076 - Create and track feature requests for Atlassian products. | jira.atlassian.com text/html |
![]() |
Related QID Numbers
Known Affected Configurations (CPE V2.3)
Type | Vendor | Product | Version | Update | Edition | Language |
---|---|---|---|---|---|---|
Application | Atlassian | Data Center | All | All | All | All |
Application | Atlassian | Jira | All | All | All | All |
Application | Atlassian | Jira Data Center | All | All | All | All |
Application | Atlassian | Jira Server | All | All | All | All |
- cpe:2.3:a:atlassian:data_center:*:*:*:*:*:*:*:*:
- cpe:2.3:a:atlassian:jira:*:*:*:*:*:*:*:*:
- cpe:2.3:a:atlassian:jira_data_center:*:*:*:*:*:*:*:*:
- cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*:
No vendor comments have been submitted for this CVE
Social Mentions
Source | Title | Posted (UTC) |
---|---|---|
![]() |
CVE-2021-26076 | 2021-04-15 00:20:11 |