CVE-2021-26076: 
JIRA vulnerability analysis and mitigation

The vulnerability (CVE-2021-26076) affects the Jira Editor Plugin in Jira Server and Data Center versions before 8.5.12, from 8.6.0 before 8.13.4, and from 8.14.0 before 8.15.0. The issue was discovered and disclosed in March 2021, with fixes released in April 2021. The vulnerability relates to the jira.editor.user.mode cookie not being set with a secure attribute when Jira is configured to use HTTPS (Jira Advisory).

The vulnerability stems from a security misconfiguration where the jira.editor.user.mode cookie set by the Jira Editor Plugin lacks the secure attribute when Jira is configured to use HTTPS. The severity of this vulnerability is rated as LOW with a CVSS 3.1 Base Score of 3.7 (Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N) (NVD).

The vulnerability allows remote anonymous attackers who can perform a man-in-the-middle attack to determine which mode a user is editing in. This information disclosure vulnerability only affects installations where Jira is configured to use HTTPS (Jira Advisory).

The vulnerability has been fixed in Jira versions 8.5.12, 8.13.4, and 8.15.0. Users are advised to upgrade to these or later versions to address the security issue (Jira Advisory).