CVE-2021-26075

The Jira importers plugin AttachTemporaryFile rest resource in Jira Server and Data Center before version 8.5.12, from version 8.6.0 before 8.13.4, and from version 8.14.0 before 8.15.1 allowed remote authenticated attackers to obtain the full path of the Jira application data directory via an information disclosure vulnerability in the error message when presented with an invalid filename.

Published: Apr 15, 2021
Updated: Apr 14, 2023
CVE: CVE-2021-26075
Severity: Low
Exploit:

CVSS v3:

Severity: Low
Score: 4.3
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CVSS v2:

Severity: Low
Score: 4
AV:N/AC:L/Au:S/C:P/I:N/A:N

No CWE or OWASP classifications available.

Affected Software
References

Software	From	Fixed in
atlassian / data_center	-	8.5.12
atlassian / jira	-	8.5.12
atlassian / jira_server	8.14.0	8.15.1
atlassian / jira_server	8.6.0	8.13.4
atlassian / jira_data_center	8.6.0	8.13.4
atlassian / jira_data_center	8.14.0	8.15.1

https://jira.atlassian.com/browse/JRASERVER-72316

Vulnerability Database

289,784

CVE-2021-26075