CVE-2021-41305
📋 TL;DR
This vulnerability allows anonymous remote attackers to view private project and filter names in Atlassian Jira Server and Data Center via an Insecure Direct Object Reference (IDOR) flaw in the Average Number of Times in Status Gadget. Organizations running affected Jira versions before 8.13.12 are impacted, potentially exposing sensitive internal project information.
💻 Affected Systems
- Atlassian Jira Server
- Atlassian Jira Data Center
📦 What is this software?
Jira by Atlassian
⚠️ Risk & Real-World Impact
Worst Case
Attackers map organizational structure, identify sensitive projects, and use this reconnaissance for targeted attacks or social engineering campaigns.
Likely Case
Unauthorized disclosure of private project and filter names, potentially revealing internal initiatives, team structures, or confidential work.
If Mitigated
Limited information disclosure with no access to actual project content or data.
🎯 Exploit Status
IDOR vulnerabilities typically have low exploitation complexity. No public exploit code is known, but the vulnerability type suggests straightforward exploitation.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 8.13.12 and later
Vendor Advisory: https://jira.atlassian.com/browse/JRASERVER-72813
Restart Required: Yes
Instructions:
1. Download Jira version 8.13.12 or later from Atlassian's website. 2. Backup your Jira instance and database. 3. Stop Jira service. 4. Install the updated version following Atlassian's upgrade guide. 5. Restart Jira service. 6. Verify the update was successful.
🔧 Temporary Workarounds
Disable the vulnerable gadget
allRemove or disable the Average Number of Times in Status Gadget from all dashboards
Navigate to Jira Administration > System > General Configuration > Gadgets
Disable or remove the affected gadget
Restrict anonymous access
allConfigure Jira to require authentication for all users
Navigate to Jira Administration > System > General Configuration > Global Permissions
Remove 'Anyone' from Browse Users permission
Configure project permissions to remove anonymous access
🧯 If You Can't Patch
- Implement network-level restrictions to limit Jira access to trusted IP addresses only
- Enable detailed logging and monitoring for suspicious access patterns to the affected gadget
🔍 How to Verify
Check if Vulnerable:
Check Jira version in Administration > System > System Info. If version is below 8.13.12, the system is vulnerable.Check Version:
Check via Jira web interface: Administration > System > System Info, or via command line: cat /path/to/jira/atlassian-jira/META-INF/maven/com.atlassian.jira/jira-core/pom.xml | grep versionVerify Fix Applied:
After patching, verify version is 8.13.12 or higher. Test anonymous access to the Average Number of Times in Status Gadget to confirm private project names are no longer accessible.📡 Detection & Monitoring
Log Indicators:
- Unusual anonymous user access to gadget endpoints
- Multiple failed authentication attempts followed by gadget access
- Access to /rest/gadget/1.0/current/gadgets/* endpoints from unauthenticated users
Network Indicators:
- HTTP requests to gadget REST API endpoints without authentication headers
- Unusual traffic patterns to Jira from external IPs
SIEM Query:
source="jira.log" AND (uri_path="/rest/gadget/1.0/current/gadgets/" OR uri_path="/rest/gadget/1.0/current/gadgets/*") AND user="anonymous"