CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS
Percentile
43.8%
Recently we have identified that on top of the libraries mentioned inย JRASERVER-73580, there was another library({}atlassian-authentication-plugin){} that has a transitive dependency of xmlsec that could be related to the vulnerability described in [CVE-2021-40690|https://nvd.nist.gov/vuln/detail/CVE-2021-40690].
(i) Note that based on our assessment, vulnerability is more theoretical and no known exploits exist.
The affected versions of Jira that are shipped with the impacted atlassian-authentication-plugin are, versions prior to 8.20.13, and from version 8.21.0 before 9.0.0.
h4. Affected versions:
h4. Fixed versions:
h3. Workaround for Affected Versions
{}Deploy the new atlassian-authentication-plugin-4.2.12.jar or higher{}.
{panel}
(i) The fixed version of this library is atlassian-authentication-plugin-4.2.11.jar, however, we are recommending atlassian-authentication-plugin-4.2.12.jar and higher to benefit from another defect mentioned in JRASERVER-73257
{panel}
ย
+Detailed Steps+
{code:java}
<jira-local-home>/plugins/.bundled-plugins
<jira-local-home>/plugins/.osgi-plugins{code}
(i) Please note that if you have more than one node in the data center cluster setup, kindly perform all the above steps in each Jira node.
Vendor | Product | Version | CPE |
---|---|---|---|
atlassian | jira_data_center | * | cpe:2.3:a:atlassian:jira_data_center:*:*:*:*:*:*:*:* |
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS
Percentile
43.8%