CVE-2021-39113 | Vulnerability Database | Aqua Security

NVD

https://nvd.nist.gov/vuln/detail/CVE-2021-39113

CWE

https://cwe.mitre.org/data/definitions/613.html

Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to continue to view cached content even after losing permissions, via a Broken Access Control vulnerability in the allowlist feature. The affected versions are before version 8.13.9, and from version 8.14.0 before 8.18.0.

Weakness

According to WASC, “Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization.”

Affected Software

Name	Vendor	Start Version	End Version
Data_center	Atlassian	*	8.13.9 (excluding)
Jira	Atlassian	*	8.13.9 (excluding)
Jira_data_center	Atlassian	8.14.0 (including)	8.18.0 (excluding)
Jira_server	Atlassian	8.14.0 (including)	8.18.0 (excluding)

Potential Mitigations

References

https://jira.atlassian.com/browse/JRASERVER-72573
https://jira.atlassian.com/browse/JRASERVER-72573