cnvd - cnvd-2021-44764

cnvd-2021-44764

Vulnerability from cnvd

Title: Jira Server and Jira Data Center跨站脚本漏洞

Description:

Atlassian JIRA Server和Jira Server ＆ Data Center都是澳大利亚Atlassian公司的产品。Atlassian JIRA Server是一套缺陷跟踪管理系统的服务器版本。该系统主要用于对工作中各类问题、缺陷进行跟踪管理。Jira Server ＆ Data Center是JIRA的数据中心版本。该软件被广泛应用于缺陷跟踪、客户服务、需求收集、流程审批、任务跟踪、项目跟踪和敏捷管理等工作领域。

Jira Server and Jira Data Center 存在跨站脚本漏洞，远程攻击者可利用该漏洞通过EditworkflowScheme.jspa跨站点脚本(XSS)漏洞注入任意HTML或JavaScript。

Severity: 中

Patch Name: Jira Server and Jira Data Center跨站脚本漏洞的补丁

Patch Description:

Jira Server and Jira Data Center 存在跨站脚本漏洞，远程攻击者可利用该漏洞通过EditworkflowScheme.jspa跨站点脚本(XSS)漏洞注入任意HTML或JavaScript。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description:

目前厂商已发布升级补丁以修复漏洞，补丁获取链接： https://jira.atlassian.com/browse/JRASERVER-72432

Reference: https://nvd.nist.gov/vuln/detail/CVE-2021-26080

Impacted products

Name
['Atlassian Jira <8.5.14', 'Atlassian Jira >=8.6.0，<8.13.6', 'Atlassian Jira >=8.14.0，<8.16.1', 'Atlassian Data Center <8.5.14', 'Atlassian Data Center >=8.6.0，<8.13.6', 'Atlassian Data Center >=8.14.0，<8.16.1']

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2021-26080"
    }
  },
  "description": "Atlassian JIRA Server\u548cJira Server \uff06 Data Center\u90fd\u662f\u6fb3\u5927\u5229\u4e9aAtlassian\u516c\u53f8\u7684\u4ea7\u54c1\u3002Atlassian JIRA Server\u662f\u4e00\u5957\u7f3a\u9677\u8ddf\u8e2a\u7ba1\u7406\u7cfb\u7edf\u7684\u670d\u52a1\u5668\u7248\u672c\u3002\u8be5\u7cfb\u7edf\u4e3b\u8981\u7528\u4e8e\u5bf9\u5de5\u4f5c\u4e2d\u5404\u7c7b\u95ee\u9898\u3001\u7f3a\u9677\u8fdb\u884c\u8ddf\u8e2a\u7ba1\u7406\u3002Jira Server \uff06 Data Center\u662fJIRA\u7684\u6570\u636e\u4e2d\u5fc3\u7248\u672c\u3002\u8be5\u8f6f\u4ef6\u88ab\u5e7f\u6cdb\u5e94\u7528\u4e8e\u7f3a\u9677\u8ddf\u8e2a\u3001\u5ba2\u6237\u670d\u52a1\u3001\u9700\u6c42\u6536\u96c6\u3001\u6d41\u7a0b\u5ba1\u6279\u3001\u4efb\u52a1\u8ddf\u8e2a\u3001\u9879\u76ee\u8ddf\u8e2a\u548c\u654f\u6377\u7ba1\u7406\u7b49\u5de5\u4f5c\u9886\u57df\u3002\n\nJira Server and Jira Data Center \u5b58\u5728\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\uff0c\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u901a\u8fc7EditworkflowScheme.jspa\u8de8\u7ad9\u70b9\u811a\u672c(XSS)\u6f0f\u6d1e\u6ce8\u5165\u4efb\u610fHTML\u6216JavaScript\u3002",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u53d1\u5e03\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6f0f\u6d1e\uff0c\u8865\u4e01\u83b7\u53d6\u94fe\u63a5\uff1a\r\nhttps://jira.atlassian.com/browse/JRASERVER-72432",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2021-44764",
  "openTime": "2021-06-24",
  "patchDescription": "Atlassian JIRA Server\u548cJira Server \uff06 Data Center\u90fd\u662f\u6fb3\u5927\u5229\u4e9aAtlassian\u516c\u53f8\u7684\u4ea7\u54c1\u3002Atlassian JIRA Server\u662f\u4e00\u5957\u7f3a\u9677\u8ddf\u8e2a\u7ba1\u7406\u7cfb\u7edf\u7684\u670d\u52a1\u5668\u7248\u672c\u3002\u8be5\u7cfb\u7edf\u4e3b\u8981\u7528\u4e8e\u5bf9\u5de5\u4f5c\u4e2d\u5404\u7c7b\u95ee\u9898\u3001\u7f3a\u9677\u8fdb\u884c\u8ddf\u8e2a\u7ba1\u7406\u3002Jira Server \uff06 Data Center\u662fJIRA\u7684\u6570\u636e\u4e2d\u5fc3\u7248\u672c\u3002\u8be5\u8f6f\u4ef6\u88ab\u5e7f\u6cdb\u5e94\u7528\u4e8e\u7f3a\u9677\u8ddf\u8e2a\u3001\u5ba2\u6237\u670d\u52a1\u3001\u9700\u6c42\u6536\u96c6\u3001\u6d41\u7a0b\u5ba1\u6279\u3001\u4efb\u52a1\u8ddf\u8e2a\u3001\u9879\u76ee\u8ddf\u8e2a\u548c\u654f\u6377\u7ba1\u7406\u7b49\u5de5\u4f5c\u9886\u57df\u3002\r\n\r\nJira Server and Jira Data Center \u5b58\u5728\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\uff0c\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u901a\u8fc7EditworkflowScheme.jspa\u8de8\u7ad9\u70b9\u811a\u672c(XSS)\u6f0f\u6d1e\u6ce8\u5165\u4efb\u610fHTML\u6216JavaScript\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Jira Server and Jira Data Center\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": [
      "Atlassian Jira \u003c8.5.14",
      "Atlassian Jira \u003e=8.6.0\uff0c\u003c8.13.6",
      "Atlassian Jira \u003e=8.14.0\uff0c\u003c8.16.1",
      "Atlassian Data Center \u003c8.5.14",
      "Atlassian Data Center \u003e=8.6.0\uff0c\u003c8.13.6",
      "Atlassian Data Center \u003e=8.14.0\uff0c\u003c8.16.1"
    ]
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2021-26080",
  "serverity": "\u4e2d",
  "submitTime": "2021-06-09",
  "title": "Jira Server and Jira Data Center\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e"
}

CVE-2021-26080 (GCVE-0-2021-26080)

Vulnerability from cvelistv5

Published

2021-06-07 22:25

Modified

2024-10-17 14:28

Severity ?

CWE

Cross Site Scripting (XSS)

Summary

EditworkflowScheme.jspa in Jira Server and Jira Data Center before version 8.5.14, and from version 8.6.0 before version 8.13.6, and from 8.14.0 before 8.16.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability.

References

▼	URL	Tags
	https://jira.atlassian.com/browse/JRASERVER-72432	x_refsource_MISC

Impacted products

Vendor

Product

Version

▼

Atlassian

Jira Server

Version: unspecified   < 8.5.14
Version: 8.6.0   < unspecified
Version: unspecified   < 8.13.6
Version: 8.14.0   < unspecified
Version: unspecified   < 8.16.1

Atlassian

Jira Data Center

Version: unspecified   < 8.5.14
Version: 8.6.0   < unspecified
Version: unspecified   < 8.13.6
Version: 8.14.0   < unspecified
Version: unspecified   < 8.16.1

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T20:19:19.475Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://jira.atlassian.com/browse/JRASERVER-72432"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2021-26080",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-10-17T14:28:37.936549Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-10-17T14:28:50.794Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Jira Server",
          "vendor": "Atlassian",
          "versions": [
            {
              "lessThan": "8.5.14",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            },
            {
              "lessThan": "unspecified",
              "status": "affected",
              "version": "8.6.0",
              "versionType": "custom"
            },
            {
              "lessThan": "8.13.6",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            },
            {
              "lessThan": "unspecified",
              "status": "affected",
              "version": "8.14.0",
              "versionType": "custom"
            },
            {
              "lessThan": "8.16.1",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "Jira Data Center",
          "vendor": "Atlassian",
          "versions": [
            {
              "lessThan": "8.5.14",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            },
            {
              "lessThan": "unspecified",
              "status": "affected",
              "version": "8.6.0",
              "versionType": "custom"
            },
            {
              "lessThan": "8.13.6",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            },
            {
              "lessThan": "unspecified",
              "status": "affected",
              "version": "8.14.0",
              "versionType": "custom"
            },
            {
              "lessThan": "8.16.1",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        }
      ],
      "datePublic": "2021-05-26T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "EditworkflowScheme.jspa in Jira Server and Jira Data Center before version 8.5.14, and from version 8.6.0 before version 8.13.6, and from 8.14.0 before 8.16.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Cross Site Scripting (XSS)",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-06-07T22:25:11",
        "orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
        "shortName": "atlassian"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://jira.atlassian.com/browse/JRASERVER-72432"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security@atlassian.com",
          "DATE_PUBLIC": "2021-05-26T00:00:00",
          "ID": "CVE-2021-26080",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Jira Server",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c",
                            "version_value": "8.5.14"
                          },
                          {
                            "version_affected": "\u003e=",
                            "version_value": "8.6.0"
                          },
                          {
                            "version_affected": "\u003c",
                            "version_value": "8.13.6"
                          },
                          {
                            "version_affected": "\u003e=",
                            "version_value": "8.14.0"
                          },
                          {
                            "version_affected": "\u003c",
                            "version_value": "8.16.1"
                          }
                        ]
                      }
                    },
                    {
                      "product_name": "Jira Data Center",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c",
                            "version_value": "8.5.14"
                          },
                          {
                            "version_affected": "\u003e=",
                            "version_value": "8.6.0"
                          },
                          {
                            "version_affected": "\u003c",
                            "version_value": "8.13.6"
                          },
                          {
                            "version_affected": "\u003e=",
                            "version_value": "8.14.0"
                          },
                          {
                            "version_affected": "\u003c",
                            "version_value": "8.16.1"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Atlassian"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "EditworkflowScheme.jspa in Jira Server and Jira Data Center before version 8.5.14, and from version 8.6.0 before version 8.13.6, and from 8.14.0 before 8.16.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Cross Site Scripting (XSS)"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://jira.atlassian.com/browse/JRASERVER-72432",
              "refsource": "MISC",
              "url": "https://jira.atlassian.com/browse/JRASERVER-72432"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
    "assignerShortName": "atlassian",
    "cveId": "CVE-2021-26080",
    "datePublished": "2021-06-07T22:25:11.650750Z",
    "dateReserved": "2021-01-25T00:00:00",
    "dateUpdated": "2024-10-17T14:28:50.794Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted