First published: Wed Sep 08 2021(Updated: )
Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to view users' emails via an Information Disclosure vulnerability in the /rest/api/2/search endpoint. The affected versions are before version 8.5.13, from version 8.6.0 before 8.13.5, and from version 8.14.0 before 8.15.1.
Credit: security@atlassian.com security@atlassian.com
Affected Software | Affected Version | How to fix |
---|---|---|
Atlassian Data Center | <8.5.13 | |
Atlassian Jira | <8.5.13 | |
Atlassian Data Center | >=8.6.0<8.13.5 | |
Atlassian Data Center | >=8.14.0<8.15.1 | |
Atlassian Server | >=8.6.0<8.13.5 | |
Atlassian Server | >=8.14.0<8.15.1 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The vulnerability ID is CVE-2021-39122.
The severity of CVE-2021-39122 is medium with a severity value of 5.3.
The affected versions of Atlassian Jira Server and Data Center are before version 8.5.13, from version 8.6.0 before 8.13.5, and from version 8.14.0 to version 8.15.0.
An anonymous remote attacker can exploit CVE-2021-39122 by making requests to the /rest/api/2/search endpoint to view users' emails.
Yes, the fix for CVE-2021-39122 is to upgrade to a version of Atlassian Jira Server or Data Center that is not affected by the vulnerability.