cnvd - cnvd-2022-16916

CNVD-2022-16916

Vulnerability from cnvd - Published: 2022-03-05

Title

Atlassian Jira Service Management Server授权问题漏洞

Description

Atlassian Jira Service 是澳大利亚Atlassian公司的一套IT服务台与请求跟踪系统的服务器版。该系统主要用于接收、跟踪和管理团队客户的请求。 Atlassian Jira Service Management Server存在授权问题漏洞，该漏洞源于”移动对象”功能中的不当授权。远程攻击者可利用此漏洞查看私有对象的名称。

Severity

中

Patch Name

Atlassian Jira Service Management Server授权问题漏洞的补丁

Patch Description

Atlassian Jira Service 是澳大利亚Atlassian公司的一套IT服务台与请求跟踪系统的服务器版。该系统主要用于接收、跟踪和管理团队客户的请求。 Atlassian Jira Service Management Server存在授权问题漏洞，该漏洞源于”移动对象”功能中的不当授权。攻击者可利用此漏洞查看私有对象的名称。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description

厂商已发布了漏洞修复程序，请及时关注更新： https://jira.atlassian.com/browse/JSDSERVER-10981

Reference

https://jira.atlassian.com/browse/JSDSERVER-10981

Impacted products

Name
Atlassian Jira Service Management Server < 4.21.0

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2021-43948",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2021-43948"
    }
  },
  "description": "Atlassian Jira Service \u662f\u6fb3\u5927\u5229\u4e9aAtlassian\u516c\u53f8\u7684\u4e00\u5957IT\u670d\u52a1\u53f0\u4e0e\u8bf7\u6c42\u8ddf\u8e2a\u7cfb\u7edf\u7684\u670d\u52a1\u5668\u7248\u3002\u8be5\u7cfb\u7edf\u4e3b\u8981\u7528\u4e8e\u63a5\u6536\u3001\u8ddf\u8e2a\u548c\u7ba1\u7406\u56e2\u961f\u5ba2\u6237\u7684\u8bf7\u6c42\u3002\n\nAtlassian Jira Service Management Server\u5b58\u5728\u6388\u6743\u95ee\u9898\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u201d\u79fb\u52a8\u5bf9\u8c61\u201d\u529f\u80fd\u4e2d\u7684\u4e0d\u5f53\u6388\u6743\u3002\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u5229\u7528\u6b64\u6f0f\u6d1e\u67e5\u770b\u79c1\u6709\u5bf9\u8c61\u7684\u540d\u79f0\u3002",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://jira.atlassian.com/browse/JSDSERVER-10981",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2022-16916",
  "openTime": "2022-03-05",
  "patchDescription": "Atlassian Jira Service \u662f\u6fb3\u5927\u5229\u4e9aAtlassian\u516c\u53f8\u7684\u4e00\u5957IT\u670d\u52a1\u53f0\u4e0e\u8bf7\u6c42\u8ddf\u8e2a\u7cfb\u7edf\u7684\u670d\u52a1\u5668\u7248\u3002\u8be5\u7cfb\u7edf\u4e3b\u8981\u7528\u4e8e\u63a5\u6536\u3001\u8ddf\u8e2a\u548c\u7ba1\u7406\u56e2\u961f\u5ba2\u6237\u7684\u8bf7\u6c42\u3002\r\n\r\nAtlassian Jira Service Management Server\u5b58\u5728\u6388\u6743\u95ee\u9898\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u201d\u79fb\u52a8\u5bf9\u8c61\u201d\u529f\u80fd\u4e2d\u7684\u4e0d\u5f53\u6388\u6743\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u6b64\u6f0f\u6d1e\u67e5\u770b\u79c1\u6709\u5bf9\u8c61\u7684\u540d\u79f0\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Atlassian Jira Service Management Server\u6388\u6743\u95ee\u9898\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "Atlassian Jira Service Management Server \u003c 4.21.0"
  },
  "referenceLink": "https://jira.atlassian.com/browse/JSDSERVER-10981",
  "serverity": "\u4e2d",
  "submitTime": "2022-02-17",
  "title": "Atlassian Jira Service Management Server\u6388\u6743\u95ee\u9898\u6f0f\u6d1e"
}

CVE-2021-43948 (GCVE-0-2021-43948)

Vulnerability from cvelistv5 – Published: 2022-02-15 03:35 – Updated: 2024-10-08 17:38

Summary

Affected versions of Atlassian Jira Service Management Server and Data Center allow authenticated remote attackers to view the names of private objects via an Improper Authorization vulnerability in the "Move objects" feature. The affected versions are before version 4.21.0.

Severity ?

No CVSS data available.

CWE

Improper Authorization

Assigner

atlassian

References

URL

Tags

https://jira.atlassian.com/browse/JSDSERVER-10981

x_refsource_MISC

Impacted products

Vendor

Product

Version

Atlassian

Jira Service Management Server

Affected: unspecified , < 4.21.0 (custom)

Atlassian

Jira Service Management Data Center

Affected: unspecified , < 4.21.0 (custom)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T04:10:17.270Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://jira.atlassian.com/browse/JSDSERVER-10981"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2021-43948",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-10-08T17:38:30.778254Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-10-08T17:38:45.124Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Jira Service Management Server",
          "vendor": "Atlassian",
          "versions": [
            {
              "lessThan": "4.21.0",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "Jira Service Management Data Center",
          "vendor": "Atlassian",
          "versions": [
            {
              "lessThan": "4.21.0",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        }
      ],
      "datePublic": "2022-01-05T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "Affected versions of Atlassian Jira Service Management Server and Data Center allow authenticated remote attackers to view the names of private objects via an Improper Authorization vulnerability in the \"Move objects\" feature. The affected versions are before version 4.21.0."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Improper Authorization",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-02-15T03:35:10",
        "orgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
        "shortName": "atlassian"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://jira.atlassian.com/browse/JSDSERVER-10981"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security@atlassian.com",
          "DATE_PUBLIC": "2022-01-05T00:00:00",
          "ID": "CVE-2021-43948",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Jira Service Management Server",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c",
                            "version_value": "4.21.0"
                          }
                        ]
                      }
                    },
                    {
                      "product_name": "Jira Service Management Data Center",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c",
                            "version_value": "4.21.0"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Atlassian"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Affected versions of Atlassian Jira Service Management Server and Data Center allow authenticated remote attackers to view the names of private objects via an Improper Authorization vulnerability in the \"Move objects\" feature. The affected versions are before version 4.21.0."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Improper Authorization"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://jira.atlassian.com/browse/JSDSERVER-10981",
              "refsource": "MISC",
              "url": "https://jira.atlassian.com/browse/JSDSERVER-10981"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f08a6ab8-ed46-4c22-8884-d911ccfe3c66",
    "assignerShortName": "atlassian",
    "cveId": "CVE-2021-43948",
    "datePublished": "2022-02-15T03:35:10.202942Z",
    "dateReserved": "2021-11-16T00:00:00",
    "dateUpdated": "2024-10-08T17:38:45.124Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2022-16916

CVE-2021-43948 (GCVE-0-2021-43948)

Tags

Sightings

Nomenclature