CVE-2021-39112 vulnerability in Atlassian Products
Published on August 25, 2021
Weakness Type
What is a tabnabbing Vulnerability?
The web application produces links to untrusted external sites outside of its sphere of control, but it does not properly prevent the external site from modifying security-critical properties of the window.opener object, such as the location property. When a user clicks a link to an external site ("target"), the target="_blank" attribute causes the target site's contents to be opened in a new window or tab, which runs in the same process as the original page. The window.opener object records information about the original page that offered the link. If an attacker can run script on the target page, then they could read or modify certain properties of the window.opener object, including the location property - even if the original and target site are not the same origin. An attacker can modify the location property to automatically redirect the user to a malicious site, e.g. as part of a phishing attack. Since this redirect happens in the original window/tab - which is not necessarily visible, since the browser is focusing the display on the new target page - the user might not notice any suspicious redirection.
CVE-2021-39112 has been classified to as a tabnabbing vulnerability or weakness.
Products Associated with CVE-2021-39112
You can be notified by email with stack.watch whenever vulnerabilities like CVE-2021-39112 are published in these products:
Affected Versions
Atlassian Jira Server:- Version unspecified and below 8.5.15 is affected.
- Version 8.6.0 and below unspecified is affected.
- Version unspecified and below 8.13.7 is affected.
- Version 8.14.0 and below unspecified is affected.
- Version unspecified and below 8.17.1 is affected.
- Version 8.18.0 and below unspecified is affected.
- Version unspecified and below 8.18.1 is affected.
- Version unspecified and below 8.5.15 is affected.
- Version 8.6.0 and below unspecified is affected.
- Version unspecified and below 8.13.7 is affected.
- Version 8.14.0 and below unspecified is affected.
- Version unspecified and below 8.17.1 is affected.
- Version 8.18.0 and below unspecified is affected.
- Version unspecified and below 8.18.1 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.