CVE-2021-26075

EUVD-2021-12897
The Jira importers plugin AttachTemporaryFile rest resource in Jira Server and Data Center before version 8.5.12, from version 8.6.0 before 8.13.4, and from version 8.14.0 before 8.15.1 allowed remote authenticated attackers to obtain the full path of the Jira application data directory via an information disclosure vulnerability in the error message when presented with an invalid filename.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
4.3 MEDIUM
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 49%
Affected Products (NVD)
VendorProductVersion
atlassiandata_center
𝑥
< 8.5.12
atlassianjira
𝑥
< 8.5.12
atlassianjira_data_center
8.6.0 ≤
𝑥
< 8.13.4
atlassianjira_data_center
8.14.0 ≤
𝑥
< 8.15.1
atlassianjira_server
8.6.0 ≤
𝑥
< 8.13.4
atlassianjira_server
8.14.0 ≤
𝑥
< 8.15.1
𝑥
= Vulnerable software versions
References
https://jira.atlassian.com/browse/JRASERVER-72316
https://jira.atlassian.com/browse/JRASERVER-72316