QID 150438

Date Published: 2021-12-09

QID 150438: Atlassian Jira Server Multiple Security Vulnerabilities (JRASERVER-72009,JRASERVER-71806,JRASERVER-72003)

Jira is a proprietary issue tracking product, product developed by Atlassian. It provides bug tracking, issue tracking, and project management functions.

Multiple Vulnerabilities are identified in Atlassian Jira Server:
CVE-2021-39125: Username enumeration via password reset page.
CVE-2021-39126: CSRF token theft through referrer headers
CVE-2021-39127: Anonymous User is Able to Access Query Component JQL Endpoint

Affected version:
before version 8.5.10
from version 8.6.0 before 8.13.1.

Successful exploitation would lead to username enumeration, CSRF and Broken Access Control vulnerability in JQL endpoint.

  • CVSS V3 rated as Critical - 8.8 severity.
  • CVSS V2 rated as High - 6.8 severity.
  • Solution
    Upgrade the Atlassian Jira to new version.

    CVEs related to QID 150438

    Software Advisories
    Advisory ID Software Component Link
    JRASERVER-71806 URL Logo jira.atlassian.com/browse/JRASERVER-71806
    JRASERVER-72003 URL Logo jira.atlassian.com/browse/JRASERVER-72003
    JRASERVER-72009 URL Logo jira.atlassian.com/browse/JRASERVER-72009