Uploaded image for project: 'Jira Server and Data Center'
  1. Jira Server and Data Center
  2. JRASERVER-70940

Template injection in Web Resources Manager - CVE-2020-14172

    XMLWordPrintable

    Details

      Description

      This issue exists to document that a security improvement in the way that Jira Server and Data Center use velocity templates has been implemented.

      The way in which velocity templates were used in Atlassian Jira Server and Data Center prior to version 8.8.1 allowed remote attackers to achieve remote code execution via insecure deserialization, if they were able to exploit a server side template injection vulnerability.

      Affected versions:

      • version < 7.13.0
      • 8.0.0 ≤ version < 8.5.0
      • 8.6.0 ≤ version < 8.8.1

      Fixed versions:

      • 8.8.1
      • 8.9.0

       

        Attachments

          Activity

            People

            Assignee:
            Unassigned
            Reporter:
            security-metrics-bot Security Metrics Bot
            Votes:
            0 Vote for this issue
            Watchers:
            14 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: