CVE-2021-41307
📋 TL;DR
This vulnerability allows unauthenticated remote attackers to view names of private projects and filters in Atlassian Jira Server and Data Center via an Insecure Direct Object Reference (IDOR) in the Workload Pie Chart Gadget. It affects organizations running vulnerable versions of Jira, potentially exposing sensitive project information to unauthorized users.
💻 Affected Systems
- Atlassian Jira Server
- Atlassian Jira Data Center
📦 What is this software?
Jira by Atlassian
Jira Server by Atlassian
⚠️ Risk & Real-World Impact
Worst Case
Attackers could map internal project structures, identify sensitive initiatives, and use this information for social engineering or targeted attacks against specific teams.
Likely Case
Unauthorized disclosure of private project and filter names, potentially revealing organizational structure, ongoing initiatives, or sensitive work areas.
If Mitigated
Limited information disclosure with no access to actual project content or data.
🎯 Exploit Status
IDOR vulnerabilities typically have low exploitation complexity and can be discovered through basic testing.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 8.13.12 or 8.20.0 and later
Vendor Advisory: https://jira.atlassian.com/browse/JRASERVER-72916
Restart Required: Yes
Instructions:
1. Backup your Jira instance. 2. Download and install Jira version 8.13.12 or 8.20.0+ from Atlassian downloads. 3. Follow standard Jira upgrade procedures. 4. Restart Jira services.
🔧 Temporary Workarounds
Disable Workload Pie Chart Gadget
allRemove or disable the vulnerable gadget from all dashboards
Navigate to Jira Administration > System > General Configuration > Gadgets, disable Workload Pie Chart Gadget
Restrict Dashboard Access
allLimit dashboard access to authenticated users only
Configure Jira permissions to restrict dashboard viewing to authenticated users
🧯 If You Can't Patch
- Implement network-level restrictions to limit Jira access to trusted IP ranges only
- Enable authentication requirements for all dashboard access and monitor for unauthorized access attempts
🔍 How to Verify
Check if Vulnerable:
Check Jira version in Administration > System > System Info. If version is before 8.13.12, or between 8.14.0 and 8.19.x, you are vulnerable.Check Version:
Check via Jira web interface: Administration > System > System Info, or check atlassian-jira/WEB-INF/classes/build.properties on serverVerify Fix Applied:
Confirm Jira version is 8.13.12 or 8.20.0+ in System Info, then test that private project/filter names are no longer accessible without authentication.📡 Detection & Monitoring
Log Indicators:
- Unusual access patterns to gadget endpoints
- Unauthenticated requests to /rest/gadgets/1.0/g/com.atlassian.jira.gadgets:workload-pie-chart-gadget
Network Indicators:
- HTTP requests to gadget endpoints without authentication headers
- Increased traffic to Jira from unexpected sources
SIEM Query:
source="jira.log" AND (uri_path="/rest/gadgets/1.0/g/com.atlassian.jira.gadgets:workload-pie-chart-gadget" AND NOT user!="")