PT-2021-16943 · Atlassian · Jira

Published

2021-04-14

Updated

2022-03-30

CVE-2021-26076

CVSS v2.0

4.3

Medium

Vector

AV:N/AC:M/Au:N/C:P/I:N/A:N

Name of the Vulnerable Software and Affected Versions Jira Server and Data Center versions prior to 8.5.12 Jira Server and Data Center versions 8.6.0 through 8.13.4 Jira Server and Data Center versions 8.14.0 through 8.14.x

Description The issue allows remote anonymous attackers to learn which mode a user is editing in due to the jira.editor.user.mode cookie not being set with a secure attribute if Jira was configured to use https. This can occur when an attacker performs a man-in-the-middle attack.

Recommendations For versions prior to 8.5.12, update to version 8.5.12 or later. For versions 8.6.0 through 8.13.4, update to version 8.13.4 or later. For versions 8.14.0 through 8.14.x, update to version 8.15.0 or later.

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Related Identifiers

CVE-2021-26076

Affected Products

Jira

PT-2021-16943 · Atlassian · Jira

CVE-2021-26076

Related Identifiers

Affected Products

References · 4