CVE-2021-26076

LOW

Jira Server/Data Center <8.5.12, <8.6.0-<8.13.4, <8.14.0-<8.15.0 - ...

Title source: llm

Description

The jira.editor.user.mode cookie set by the Jira Editor Plugin in Jira Server and Data Center before version 8.5.12, from version 8.6.0 before version 8.13.4, and from version 8.14.0 before version 8.15.0 allows remote anonymous attackers who can perform an attacker in the middle attack to learn which mode a user is editing in due to the cookie not being set with a secure attribute if Jira was configured to use https.

References (1)

Core 1

Core References

Patch, Vendor Advisory x_refsource_misc

https://jira.atlassian.com/browse/JRASERVER-72252

Scores

CVSS v3 3.7

EPSS 0.0021

EPSS Percentile 43.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

Status published

Products (4)

atlassian/data_center < 8.5.12

atlassian/jira < 8.5.12

atlassian/jira_data_center 8.6.0 - 8.13.4

atlassian/jira_server 8.6.0 - 8.13.4

Published Apr 15, 2021

Tracked Since Feb 18, 2026