Description Preview
Overview
This vulnerability (CVE-2021-26071) is a Cross-Site Request Forgery (CSRF) issue affecting Atlassian Jira Server and Data Center. The vulnerability exists in the SetFeatureEnabled.jspa resource, which lacks proper CSRF protections. When exploited, it allows unauthenticated remote attackers to trick authenticated administrators into enabling or disabling Jira Software features by having them visit a malicious website that sends forged requests to the vulnerable Jira instance. This could lead to unauthorized changes to the Jira configuration, potentially affecting the functionality and security of the application. The vulnerability is classified as CWE-352 (Cross-Site Request Forgery).
Remediation
To remediate this vulnerability, administrators should upgrade to one of the following fixed versions:
- Version 8.5.13 or later if running 8.5.x
- Version 8.13.5 or later if running 8.6.0 through 8.13.x
- Version 8.15.1 or later if running 8.14.0 through 8.15.0
If immediate patching is not possible, consider implementing additional security controls:
- Configure web application firewalls to filter suspicious requests
- Implement network-level access controls to limit who can access the Jira instance
- Educate users about CSRF attacks and the risks of clicking on unknown links
- Monitor system logs for unusual activity related to feature configuration changes
References
- Atlassian Jira Server and Data Center issue tracker: https://jira.atlassian.com/browse/JRASERVER-72233
- MITRE CWE-352 (Cross-Site Request Forgery): https://cwe.mitre.org/data/definitions/352.html
- Atlassian Security Advisory: https://jira.atlassian.com/browse/JRASERVER-72233
Industry ExposureMost to leastThis section illustrates the prevalence of a specific Common Vulnerabilities and Exposures (CVE) across various industries based on customer reports. The ranking displays industries from the most to least affected by this particular vulnerability, offering valuable insight into where this CVE has been most frequently observed. This information can help organizations within these sectors prioritize their security efforts, understand their relative risk exposure compared to their peers, and focus remediation strategies where they are most needed. By understanding the industry-specific impact, organizations can make more informed decisions regarding patching, resource allocation, and overall risk management related to this CVE.
- ManufacturingManufacturing
- Health Care & Social AssistanceHealth Care & Social Assistance
- Management of Companies & EnterprisesManagement of Companies & Enterprises
- Educational ServicesEducational Services
- Public AdministrationPublic Administration
- Transportation & WarehousingTransportation & Warehousing
- Wholesale TradeWholesale Trade
- Accommodation & Food ServicesAccommodation & Food Services
- Administrative, Support, Waste Management & Remediation ServicesAdministrative, Support, Waste Management & Remediation Services
- Agriculture, Forestry Fishing & HuntingAgriculture, Forestry Fishing & Hunting
- Arts, Entertainment & RecreationArts, Entertainment & Recreation
- ConstructionConstruction
- Finance and InsuranceFinance and Insurance
- InformationInformation
- MiningMining
- Other Services (except Public Administration)Other Services (except Public Administration)
- Professional, Scientific, & Technical ServicesProfessional, Scientific, & Technical Services
- Real Estate Rental & LeasingReal Estate Rental & Leasing
- Retail TradeRetail Trade
- UtilitiesUtilities
