CVE-2021-26076

Summary

The jira.editor.user.mode cookie set by the Jira Editor Plugin in Jira Server and Data Center before version 8.5.12, from version 8.6.0 before version 8.13.4, and from version 8.14.0 before version 8.15.0 allows remote anonymous attackers who can perform an attacker in the middle attack to learn which mode a user is editing in due to the cookie not being set with a secure attribute if Jira was configured to use https.

Affected Software

VendorProductVersion RangeStatus
AtlassianJira Serverunspecified < 8.5.12affected
AtlassianJira Server8.6.0 < unspecifiedaffected
AtlassianJira Serverunspecified < 8.13.4affected
AtlassianJira Server8.14.0 < unspecifiedaffected
AtlassianJira Serverunspecified < 8.15.0affected
AtlassianJira Data Centerunspecified < 8.5.12affected
AtlassianJira Data Center8.6.0 < unspecifiedaffected
AtlassianJira Data Centerunspecified < 8.13.4affected
AtlassianJira Data Center8.14.0 < unspecifiedaffected
AtlassianJira Data Centerunspecified < 8.15.0affected

Weaknesses

  • Security Misconfiguration

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References