Login Sign Up

CVE-2021-39123

7.5 HIGH
Denial of Service

📋 TL;DR

This vulnerability allows unauthenticated remote attackers to cause a Denial of Service (DoS) in Atlassian Jira Server and Data Center by exploiting a specific REST endpoint. The attack impacts application availability without requiring authentication. Organizations running affected Jira versions before 8.16.0 are vulnerable.

💻 Affected Systems

Products:
  • Atlassian Jira Server
  • Atlassian Jira Data Center
Versions: All versions before 8.16.0
Operating Systems: All supported platforms
Default Config Vulnerable: ⚠️ Yes
Notes: The vulnerable endpoint is accessible by default in standard Jira installations.

📦 What is this software?

Data Center by Atlassian

View all CVEs affecting Data Center →

Jira by Atlassian

View all CVEs affecting Jira →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service disruption making Jira unavailable to all users, potentially affecting business operations that depend on issue tracking and project management.

🟠

Likely Case

Temporary service degradation or intermittent outages affecting user productivity and workflow continuity.

🟢

If Mitigated

Minimal impact with proper network controls and monitoring in place to detect and block exploitation attempts.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

The vulnerability requires no authentication and targets a specific REST endpoint, making exploitation straightforward for attackers.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 8.16.0 and later

Vendor Advisory: https://jira.atlassian.com/browse/JRASERVER-72237

Restart Required: Yes

Instructions:

1. Backup your Jira instance and database. 2. Download Jira version 8.16.0 or later from Atlassian's website. 3. Follow Atlassian's upgrade documentation for your specific deployment type. 4. Restart Jira services after upgrade completion.

🔧 Temporary Workarounds

Block Vulnerable Endpoint

all

Configure web application firewall or reverse proxy to block access to the /rest/gadget/1.0/createdVsResolved/generate endpoint

# Example for Apache mod_rewrite
RewriteRule ^/rest/gadget/1.0/createdVsResolved/generate - [F,L]
# Example for Nginx
location ~ ^/rest/gadget/1.0/createdVsResolved/generate { return 403; }

🧯 If You Can't Patch

  • Implement network segmentation to restrict access to Jira from untrusted networks
  • Deploy rate limiting on the vulnerable endpoint to prevent DoS attacks

🔍 How to Verify

Check if Vulnerable:

Check Jira version via Admin → System → System Info. If version is below 8.16.0, the system is vulnerable.

Check Version:

Check Jira web interface at Admin → System → System Info or run: cat /path/to/jira/atlassian-jira/META-INF/maven/com.atlassian.jira/jira-core/pom.xml | grep version

Verify Fix Applied:

After upgrading, verify version is 8.16.0 or higher and test that the /rest/gadget/1.0/createdVsResolved/generate endpoint no longer causes service disruption.

📡 Detection & Monitoring

Log Indicators:

  • High frequency of requests to /rest/gadget/1.0/createdVsResolved/generate endpoint
  • Increased error rates or timeout messages in Jira logs
  • Unusual traffic patterns from single IP addresses

Network Indicators:

  • Bursts of HTTP POST/GET requests to the vulnerable endpoint
  • Traffic spikes from external sources to Jira REST API

SIEM Query:

source="jira.log" AND (uri_path="/rest/gadget/1.0/createdVsResolved/generate" OR error="timeout") | stats count by src_ip

📊 Metadata

CVE ID: CVE-2021-39123
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Published: September 14, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON