A user can view the createmeta information of private projects

Affected versions of Atlassian Jira Server and Data Center allow authenticated remote attackers without permission to view a private project to view the projects issue creation meta information via a Broken Access Control vulnerability in the /issue/createmeta endpoint. The affected versions are before version 8.22.0. versions prior to 8.20.12