CVE-2021-41308

MEDIUM

Atlassian Jira <8.6.0, 8.7.0-8.13.12, 8.14.0-8.20.1 - Broken Access Control

Title source: llm

Description

Affected versions of Atlassian Jira Server and Data Center allow authenticated yet non-administrator remote attackers to edit the File Replication settings via a Broken Access Control vulnerability in the `ReplicationSettings!default.jspa` endpoint. The affected versions are before version 8.6.0, from version 8.7.0 before 8.13.12, and from version 8.14.0 before 8.20.1.

References (1)

Core 1

Core References

Issue Tracking, Patch, Vendor Advisory x_refsource_misc

https://jira.atlassian.com/browse/JRASERVER-72940

Scores

CVSS v3 6.5

EPSS 0.0015

EPSS Percentile 34.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-285

Status published

Products (4)

atlassian/jira < 8.6.0

atlassian/jira_data_center 8.7.0 - 8.13.12

atlassian/jira_server 8.7.0 - 8.13.12

atlassian/jira_software_data_center < 8.6.0

Published Oct 26, 2021

Tracked Since Feb 18, 2026