CVE-2021-41311
📋 TL;DR
This vulnerability allows attackers with revoked administrator accounts to modify project Users & Roles settings in Atlassian Jira Server and Data Center. It affects organizations using Jira versions before 8.19.1 where administrator accounts have been disabled but not properly purged from the system.
💻 Affected Systems
- Atlassian Jira Server
- Atlassian Jira Data Center
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could grant themselves or others unauthorized access to sensitive projects, modify permissions across the entire Jira instance, and potentially escalate privileges to full administrative control.
Likely Case
Former administrators could regain access to projects they previously managed, modify user roles, and disrupt project workflows or access sensitive information.
If Mitigated
With proper account lifecycle management and immediate patching, the risk is limited to a brief window where revoked accounts might still have residual access.
🎯 Exploit Status
Exploitation requires access to a revoked administrator account and knowledge of the vulnerable endpoint.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 8.19.1 or later
Vendor Advisory: https://jira.atlassian.com/browse/JRASERVER-72802
Restart Required: Yes
Instructions:
1. Backup your Jira instance and database. 2. Download Jira version 8.19.1 or later from Atlassian's website. 3. Follow the official upgrade guide for your deployment type. 4. Restart Jira services after upgrade. 5. Verify the upgrade was successful.
🔧 Temporary Workarounds
Block vulnerable endpoint via reverse proxy
allTemporarily block access to the /plugins/servlet/project-config/*/roles endpoint
# Example nginx config: location ~ ^/plugins/servlet/project-config/.*/roles$ { deny all; }
# Example Apache config: <LocationMatch "^/plugins/servlet/project-config/.*/roles$"> Require all denied </LocationMatch>
Immediately remove all revoked administrator accounts
allCompletely delete any administrator accounts that have been disabled or revoked
# Use Jira administration interface to permanently delete revoked admin accounts
🧯 If You Can't Patch
- Implement strict network segmentation to limit access to Jira administration interfaces
- Enhance monitoring of the /plugins/servlet/project-config/*/roles endpoint for unauthorized access attempts
🔍 How to Verify
Check if Vulnerable:
Check Jira version via Administration → System → System Info. If version is below 8.19.1, the system is vulnerable.Check Version:
Check via Jira web interface: Administration → System → System Info, or via database query: SELECT * FROM propertystring WHERE propertyname='jira.version';Verify Fix Applied:
After upgrading to 8.19.1 or later, verify the version in System Info and test that revoked admin accounts cannot access project configuration endpoints.📡 Detection & Monitoring
Log Indicators:
- Unauthorized access attempts to /plugins/servlet/project-config/*/roles endpoint
- Role modification events from revoked user accounts
- Failed authentication events followed by successful project configuration changes
Network Indicators:
- HTTP POST requests to /plugins/servlet/project-config/*/roles from unexpected IP addresses
- Unusual pattern of role modification requests
SIEM Query:
source="jira.log" AND (uri_path="/plugins/servlet/project-config/*/roles" OR message="*project-config*roles*") AND (user="*revoked*" OR user="*disabled*" OR status="403")