CVE-2021-26081

Name of the Vulnerable Software and Affected Versions Atlassian Jira Server and Jira Data Center versions 8.5.13 and earlier Atlassian Jira Server and Jira Data Center versions 8.6.0 through 8.13.5 Atlassian Jira Server and Jira Data Center versions 8.14.0 through 8.16.0

Description The issue allows remote attackers to enumerate usernames via a Sensitive Data Exposure vulnerability in the "/rest/api/latest/user/avatar/temporary" endpoint. This enables attackers to potentially identify and target specific users.

Recommendations For versions 8.5.13 and earlier, update to version 8.5.14 or later. For versions 8.6.0 through 8.13.5, update to version 8.13.6 or later. For versions 8.14.0 through 8.16.0, update to version 8.16.1 or later. As a temporary workaround, consider restricting access to the "/rest/api/latest/user/avatar/temporary" endpoint until a patch is available.