CVE-2021-39113
📋 TL;DR
This vulnerability allows anonymous remote attackers to view cached content in Atlassian Jira Server and Data Center even after losing proper permissions. It affects organizations running vulnerable versions of Jira, potentially exposing sensitive information to unauthorized users. The issue stems from broken access control in the allowlist feature.
💻 Affected Systems
- Atlassian Jira Server
- Atlassian Jira Data Center
📦 What is this software?
Data Center by Atlassian
Jira by Atlassian
Jira Server by Atlassian
⚠️ Risk & Real-World Impact
Worst Case
Unauthorized users access sensitive cached data including project details, issue contents, and potentially confidential information that should be restricted.
Likely Case
Anonymous or low-privilege users view cached content they shouldn't have access to, potentially exposing internal project details or sensitive issue information.
If Mitigated
Limited exposure of non-critical cached content with proper network segmentation and access controls in place.
🎯 Exploit Status
Exploitation requires anonymous access to be enabled and knowledge of cached content URLs. No public exploit code is known.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 8.13.9 or 8.18.0 and later
Vendor Advisory: https://jira.atlassian.com/browse/JRASERVER-72573
Restart Required: Yes
Instructions:
1. Backup your Jira instance. 2. Download and install Jira version 8.13.9 or 8.18.0+. 3. Follow Atlassian's upgrade documentation. 4. Restart Jira services. 5. Verify the upgrade was successful.
🔧 Temporary Workarounds
Disable Anonymous Access
allPrevent anonymous users from accessing Jira, which mitigates the vulnerability for external attackers.
Navigate to Jira Administration > System > General Configuration > Edit Settings > Set 'Allow anonymous access' to false
Clear Jira Caches
allRegularly clear cached content to reduce the window of exposure for sensitive information.
Navigate to Jira Administration > System > Troubleshooting and support tools > Caches > Clear all caches
🧯 If You Can't Patch
- Implement strict network access controls to limit Jira access to authorized users only
- Disable anonymous access and require authentication for all Jira functions
🔍 How to Verify
Check if Vulnerable:
Check Jira version via Administration > System > System info, or run: java -jar atlassian-jira/WEB-INF/lib/jira-core-*.jar --versionCheck Version:
java -jar atlassian-jira/WEB-INF/lib/jira-core-*.jar --versionVerify Fix Applied:
Verify Jira version is 8.13.9 or 8.18.0+ and test that anonymous users cannot access cached content they shouldn't have permissions for.📡 Detection & Monitoring
Log Indicators:
- Anonymous user access to cached content URLs
- Access denied errors followed by successful cached content retrieval
Network Indicators:
- Unusual anonymous traffic patterns to cached content endpoints
- Requests to /rest/api/2/filter/* or similar cached endpoints from unauthenticated sources
SIEM Query:
source="jira.log" AND (anonymous OR unauthenticated) AND (cache OR cached) AND (access OR view)