{"api_version":"1","generated_at":"2026-04-23T02:36:33+00:00","cve":"CVE-2021-41307","urls":{"html":"https://cve.report/CVE-2021-41307","api":"https://cve.report/api/cve/CVE-2021-41307.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2021-41307","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2021-41307"},"summary":{"title":"CVE-2021-41307","description":"Affected versions of Atlassian Jira Server and Data Center allow unauthenticated remote attackers to view the names of private projects and private filters via an Insecure Direct Object References (IDOR) vulnerability in the Workload Pie Chart Gadget. The affected versions are before version 8.13.12, and from version 8.14.0 before 8.20.0.","state":"PUBLIC","assigner":"security@atlassian.com","published_at":"2021-10-26 05:15:00","updated_at":"2022-03-25 18:14:00"},"problem_types":["CWE-639"],"metrics":[],"references":[{"url":"https://jira.atlassian.com/browse/JRASERVER-72916","name":"https://jira.atlassian.com/browse/JRASERVER-72916","refsource":"MISC","tags":[],"title":"[JRASERVER-72916] Anonymous user can view names of private projects and filters via IDOR in Workload Pie Chart Gadget - CVE-2021-41307 - Create and track feature requests for Atlassian products.","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.cve.org/CVERecord?id=CVE-2021-41307","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-41307","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2021","cve_id":"41307","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"atlassian","cpe5":"jira","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"41307","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"atlassian","cpe5":"jira_server","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"41307","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"atlassian","cpe5":"jira_software_data_center","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2021-41307","qid":"150467","title":"Atlassian Jira Server Private Project Names Enumeration Vulnerability (JRASERVER-72916)"},{"cve":"CVE-2021-41307","qid":"730250","title":"Atlassian Jira Server and Data Center IDOR Vulnerability (JRASERVER-72916)"}]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"security@atlassian.com","DATE_PUBLIC":"2021-10-25T00:00:00","ID":"CVE-2021-41307","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"Jira Server","version":{"version_data":[{"version_value":"8.13.12","version_affected":"<"},{"version_value":"8.14.0","version_affected":">="},{"version_value":"8.20.0","version_affected":"<"}]}},{"product_name":"Jira Data Center","version":{"version_data":[{"version_value":"8.13.12","version_affected":"<"},{"version_value":"8.14.0","version_affected":">="},{"version_value":"8.20.0","version_affected":"<"}]}}]},"vendor_name":"Atlassian"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"Affected versions of Atlassian Jira Server and Data Center allow unauthenticated remote attackers to view the names of private projects and private filters via an Insecure Direct Object References (IDOR) vulnerability in the Workload Pie Chart Gadget. The affected versions are before version 8.13.12, and from version 8.14.0 before 8.20.0."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"Insecure Direct Object References (IDOR)"}]}]},"references":{"reference_data":[{"url":"https://jira.atlassian.com/browse/JRASERVER-72916","refsource":"MISC","name":"https://jira.atlassian.com/browse/JRASERVER-72916"}]}},"nvd":{"publishedDate":"2021-10-26 05:15:00","lastModifiedDate":"2022-03-25 18:14:00","problem_types":["CWE-639"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE","baseScore":7.5,"baseSeverity":"HIGH"},"exploitabilityScore":3.9,"impactScore":3.6},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:L/Au:N/C:P/I:N/A:N","accessVector":"NETWORK","accessComplexity":"LOW","authentication":"NONE","confidentialityImpact":"PARTIAL","integrityImpact":"NONE","availabilityImpact":"NONE","baseScore":5},"severity":"MEDIUM","exploitabilityScore":10,"impactScore":2.9,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:atlassian:jira:*:*:*:*:*:*:*:*","versionEndExcluding":"8.13.12","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:atlassian:jira_software_data_center:*:*:*:*:*:*:*:*","versionEndExcluding":"8.13.12","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:atlassian:jira_software_data_center:*:*:*:*:*:*:*:*","versionStartIncluding":"8.14.0","versionEndExcluding":"8.20.0","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*","versionStartIncluding":"8.14.0","versionEndExcluding":"8.20.0","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2021","CveId":"41307","Ordinal":"217090","Title":"CVE-2021-41307","CVE":"CVE-2021-41307","Year":"2021"},"notes":[{"CveYear":"2021","CveId":"41307","Ordinal":"1","NoteData":"Affected versions of Atlassian Jira Server and Data Center allow unauthenticated remote attackers to view the names of private projects and private filters via an Insecure Direct Object References (IDOR) vulnerability in the Workload Pie Chart Gadget. The affected versions are before version 8.13.12, and from version 8.14.0 before 8.20.0.","Type":"Description","Title":null},{"CveYear":"2021","CveId":"41307","Ordinal":"2","NoteData":"2021-10-26","Type":"Other","Title":"Published"},{"CveYear":"2021","CveId":"41307","Ordinal":"3","NoteData":"2021-10-26","Type":"Other","Title":"Modified"}]}}}