CVE-2021-41307:Insecure Direct Object References vulnerability in Jira Server and Data Center allows unauthenticated attackers to view private project names and filters.

splash
Back

Description Preview

CVE-2021-41307 affects Atlassian Jira Server and Data Center. The vulnerability allows unauthenticated remote attackers to view the names of private projects and private filters through an Insecure Direct Object References (IDOR) vulnerability specifically in the Workload Pie Chart Gadget. This security issue impacts versions before 8.13.12, and versions 8.14.0 to 8.19.x. The vulnerability exposes sensitive information that should normally be restricted to authenticated and authorized users, potentially compromising project confidentiality.

Overview

This vulnerability (CWE-639: Authorization Bypass Through User-Controlled Key) allows unauthorized access to private information in Jira instances. The issue exists in the Workload Pie Chart Gadget component where improper access controls allow unauthenticated attackers to view names of private projects and filters that should be restricted. While the vulnerability doesn't provide full access to the private project contents, it leaks information about the existence and names of private projects, which could be valuable intelligence for attackers planning further targeted attacks or attempting to map an organization's internal structure and activities.

Remediation

Organizations using affected versions of Jira Server or Data Center should upgrade to patched versions immediately. The fixed versions are 8.13.12 or 8.20.0 and later. If immediate upgrading is not possible, consider implementing network-level controls to restrict access to the Jira instance only to trusted users and networks. Additionally, review and audit the usage of gadgets, particularly the Workload Pie Chart Gadget, and consider temporarily disabling it until the upgrade can be completed. After upgrading, conduct a security review to ensure no unauthorized access occurred during the vulnerable period.

References

  • Atlassian Jira Server issue tracker: https://jira.atlassian.com/browse/JRASERVER-72916
  • CWE-639: Authorization Bypass Through User-Controlled Key: https://cwe.mitre.org/data/definitions/639.html
  • Atlassian Security Advisory for CVE-2021-41307

Industry ExposureMost to least
This section illustrates the prevalence of a specific Common Vulnerabilities and Exposures (CVE) across various industries based on customer reports. The ranking displays industries from the most to least affected by this particular vulnerability, offering valuable insight into where this CVE has been most frequently observed. This information can help organizations within these sectors prioritize their security efforts, understand their relative risk exposure compared to their peers, and focus remediation strategies where they are most needed. By understanding the industry-specific impact, organizations can make more informed decisions regarding patching, resource allocation, and overall risk management related to this CVE.

  1. Manufacturing: Medium
    Manufacturing
  2. Health Care & Social Assistance: Low
    Health Care & Social Assistance
  3. Transportation & Warehousing: Low
    Transportation & Warehousing
  4. Finance and Insurance: Low
    Finance and Insurance
  5. Information: Low
    Information
  6. Other Services (except Public Administration): Low
    Other Services (except Public Administration)
  7. Retail Trade: Low
    Retail Trade
  8. Arts, Entertainment & Recreation: Low
    Arts, Entertainment & Recreation
  9. Management of Companies & Enterprises: Low
    Management of Companies & Enterprises
  10. Public Administration: Low
    Public Administration
  11. Accommodation & Food Services: Low
    Accommodation & Food Services
  12. Administrative, Support, Waste Management & Remediation Services: Low
    Administrative, Support, Waste Management & Remediation Services
  13. Agriculture, Forestry Fishing & Hunting: Low
    Agriculture, Forestry Fishing & Hunting
  14. Construction: Low
    Construction
  15. Educational Services: Low
    Educational Services
  16. Mining: Low
    Mining
  17. Professional, Scientific, & Technical Services: Low
    Professional, Scientific, & Technical Services
  18. Real Estate Rental & Leasing: Low
    Real Estate Rental & Leasing
  19. Utilities: Low
    Utilities
  20. Wholesale Trade: Low
    Wholesale Trade

Focus on What Matters

  1. See Everything.
  2. Identify True Risk.
  3. Proactively Mitigate Threats.

Let's talk!

background