CVE-2021-26076
First published: Thu Apr 15 2021(Updated: )
The jira.editor.user.mode cookie set by the Jira Editor Plugin in Jira Server and Data Center before version 8.5.12, from version 8.6.0 before version 8.13.4, and from version 8.14.0 before version 8.15.0 allows remote anonymous attackers who can perform an attacker in the middle attack to learn which mode a user is editing in due to the cookie not being set with a secure attribute if Jira was configured to use https.
Credit: security@atlassian.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Atlassian Data Center | <8.5.12 | |
| Atlassian JIRA | <8.5.12 | |
| Atlassian Jira Data Center | >=8.6.0<8.13.4 | |
| Atlassian Jira Data Center | >=8.14.0<8.15.1 | |
| Atlassian Jira Server | >=8.6.0<8.13.4 | |
| Atlassian Jira Server | >=8.14.0<8.15.1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is CVE-2021-26076?
CVE-2021-26076 is a vulnerability in the Jira Editor Plugin in Jira Server and Data Center.
How does CVE-2021-26076 impact Atlassian Jira?
CVE-2021-26076 allows remote anonymous attackers to learn information about Jira users.
What is the severity of CVE-2021-26076?
The severity of CVE-2021-26076 is medium with a CVSS score of 3.7.
Which versions of Atlassian Jira are affected by CVE-2021-26076?
CVE-2021-26076 affects Atlassian Jira versions 8.5.12, 8.6.0 to 8.13.4, and 8.14.0 to 8.15.0.
How can I fix CVE-2021-26076?
To fix CVE-2021-26076, update Jira Server or Data Center to version 8.5.12 or higher.
- collector/nvd-index
- vendor/atlassian
- canonical/atlassian data center
- canonical/atlassian jira
- canonical/atlassian jira data center
- version/atlassian jira data center/8.6.0
- version/atlassian jira data center/8.14.0
- canonical/atlassian jira server
- version/atlassian jira server/8.6.0
- version/atlassian jira server/8.14.0