CVE-2021-26081: 
JIRA vulnerability analysis and mitigation

The vulnerability CVE-2021-26081 affects Atlassian Jira Server and Jira Data Center's REST API. The vulnerability was discovered in early 2021 and allows remote attackers to enumerate usernames through the /rest/api/latest/user/avatar/temporary endpoint. The affected versions include installations before version 8.5.14, from version 8.6.0 before 8.13.6, and from version 8.14.0 before 8.16.1 (Jira Advisory).

This is a Sensitive Data Exposure vulnerability in the REST API that enables username enumeration. The vulnerability has been assigned a CVSS v3.1 base score of 5.3 (Medium severity) with the following vector: AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N, indicating that it is network accessible, requires low attack complexity, needs no privileges, requires no user interaction, has unchanged scope, and can impact confidentiality but not integrity or availability (NVD).

The vulnerability allows attackers to discover valid usernames in the Jira instance, which could be used as a stepping stone for further attacks such as brute force attempts or social engineering campaigns (Jira Advisory).

Atlassian has released fixed versions to address this vulnerability. Users should upgrade to version 8.5.14, 8.13.6, 8.16.1, 8.16.2, or 8.17.0 depending on their current version track (Jira Advisory).