Affected versions of Atlassian Jira Server and Data Center allow authenticated remote attackers to add administrator groups to filter subscriptions via a Broken Access Control vulnerability in the /secure/EditSubscription.jspa endpoint. The affected versions are before version 8.13.21, and from version 8.14.0 before 8.20.9.

Metrics

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:L/Au:S/C:N/I:P/A:N

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact partial

Affected Vendors & Products

Vendors Products
Atlassian
  • Jira Data Center
  • Jira Server

Configuration 1 [-]

OR cpe:2.3:a:atlassian:jira_data_center:*:*:*:*:*:*:*:*
cpe:2.3:a:atlassian:jira_data_center:*:*:*:*:*:*:*:*
cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*
cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*

No data.

References
Link Providers
https://jira.atlassian.com/browse/JRASERVER-73071 cve-icon cve-icon
History

Tue, 08 Oct 2024 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}
cve-icon MITRE

Status: PUBLISHED

Assigner: atlassian

Published: 2022-01-05T03:40:09.602779Z

Updated: 2024-10-08T14:24:15.786Z

Reserved: 2021-11-16T00:00:00

Link: CVE-2021-43946

cve-icon Vulnrichment

Updated: 2024-08-04T04:10:17.348Z

cve-icon NVD

Status : Modified

Published: 2022-01-05T04:15:07.497

Modified: 2024-11-21T06:30:03.630

Link: CVE-2021-43946

cve-icon Redhat

No data.