CVE-2021-39119: 
JIRA vulnerability analysis and mitigation

Atlassian Jira Server and Data Center were affected by a Broken Access Control vulnerability (CVE-2021-39119) that allowed users who had previously watched an issue to continue receiving updates even after their Jira account was revoked. This vulnerability affected versions prior to 8.19.0 and was discovered in August 2021 (Jira Issue).

The vulnerability stems from a missing authorization check in the issue notification feature of Jira Server and Data Center. The CVSS 3.1 score for this vulnerability is rated as Low with a score of 3.1, indicating relatively limited security impact (Jira Issue).

The primary impact of this vulnerability was that revoked users could continue to receive information about issues they had previously watched, potentially leading to unauthorized access to issue updates and related information (Jira Issue).

The vulnerability was fixed in Jira version 8.19.0. For versions 8.20.6 and later, administrators can control this behavior using the Dark Feature Flag 'com.atlassian.jira.send.email.notifications.to.user.without.application.access.enabled'. Additionally, versions 8.13.19+ include an option to enable the fix using the same feature flag (Jira Issue).