QID 730280

Date Published: 2021-11-24

QID 730280: Atlassian Jira Server and Data Center Cross-Site Request Forgery (CSRF) Vulnerability (JRASERVER-71806)

Jira is a proprietary issue tracking product, developed by Atlassian. It provides bug tracking, issue tracking, and project management functions.

CVE-2021-39126:Affected versions of Atlassian Jira Server and Data Center allow remote attackers to modify various resources via a Cross-Site Request Forgery (CSRF) vulnerability, following an Information Disclosure vulnerability in the referrer headers which discloses a user's CSRF token..

Affected version:
Atlassian Jira Server and Data Center version prior to 8.5.10
Atlassian Jira Server and Data Center version from 8.6.0 to 8.13.0

QID Detection Logic:(Unauthenticated)
It checks for vulnerable version of Atlassian Jira.

Successful exploitation of this vulnerability will allow to capture the referrer headers which discloses a user's CSRF token

  • CVSS V3 rated as Critical - 8.8 severity.
  • CVSS V2 rated as High - 6.8 severity.
  • Solution
    Customers are advised to refer to JRASERVER-71806 for updates pertaining to this vulnerability.
    Vendor References

    CVEs related to QID 730280

    Software Advisories
    Advisory ID Software Component Link
    JRASERVER-71806 URL Logo jira.atlassian.com/browse/JRASERVER-71806