CVE-2021-39112
25.08.2021, 03:15
Affected versions of Atlassian Jira Server and Data Center allow remote attackers to redirect users to a malicious URL via a reverse tabnapping vulnerability in the Project Shortcuts feature. The affected versions are before version 8.5.15, from version 8.6.0 before 8.13.7, from version 8.14.0 before 8.17.1, and from version 8.18.0 before 8.18.1.
| Vendor | Product | Version |
|---|---|---|
| atlassian | data_center | 𝑥 < 8.5.15 |
| atlassian | jira | 𝑥 < 8.5.15 |
| atlassian | jira_data_center | 8.6.0 ≤ 𝑥 < 8.13.7 |
| atlassian | jira_data_center | 8.14.0 ≤ 𝑥 < 8.17.1 |
| atlassian | jira_data_center | 8.18.0 ≤ 𝑥 < 8.18.1 |
| atlassian | jira_server | 8.6.0 ≤ 𝑥 < 8.13.7 |
| atlassian | jira_server | 8.14.0 ≤ 𝑥 < 8.17.1 |
| atlassian | jira_server | 8.18.0 ≤ 𝑥 < 8.18.1 |
𝑥
= Vulnerable software versions
Common Weakness Enumeration
- CWE-1022 - Use of Web Link to Untrusted Target with window.opener AccessThe web application produces links to untrusted external sites outside of its sphere of control, but it does not properly prevent the external site from modifying security-critical properties of the window.opener object, such as the location property.
- CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')A web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a Redirect. This simplifies phishing attacks.