The files related to the Jackson-databind library used by JIRA are out of date.. While JIRA does not employ methodology which would enable exploitation of these old vulnerabilities(detailed in CVE-2017-15095), the problem is with the vulnerable files existing on the file system at all. They can trigger false positives against vulnerability scans.

The following library files are affected

<JIRA_HOME>\plugins\.osgi-plugins\felix\felix-cache\bundle130\version0.0\atlassian-remote-event-common-plugin-1.0.12-D20170127T113645.jar-embedded\META-INF\lib\jackson-annotations-2.3.0.jar
<JIRA_HOME>\plugins\.osgi-plugins\felix\felix-cache\bundle130\version0.0\atlassian-remote-event-common-plugin-1.0.12-D20170127T113645.jar-embedded\META-INF\lib\jackson-core-2.3.2.jar
<JIRA_HOME>\plugins\.osgi-plugins\felix\felix-cache\bundle130\version0.0\atlassian-remote-event-common-plugin-1.0.12-D20170127T113645.jar-embedded\META-INF\lib\jackson-databind-2.3.2.jar
<JIRA_HOME>\plugins\.osgi-plugins\felix\felix-cache\bundle150\version0.0\jackson-module-scala-2.10-provider-plugin-0.5.jar-embedded\jackson-module-scala-2.10-1.9.3.3.jar
<JIRA_HOME>\plugins\.osgi-plugins\felix\felix-cache\bundle34\version0.0\atlassian-gadgets-directory-plugin-4.2.21.jar-embedded\META-INF\lib\jackson-core-asl-1.4.4.jar
<JIRA_HOME>\plugins\.osgi-plugins\felix\felix-cache\bundle34\version0.0\atlassian-gadgets-directory-plugin-4.2.21.jar-embedded\META-INF\lib\jackson-mapper-asl-1.4.3.jar
<JIRA_INSTALL>\atlassian-jira\WEB-INF\atlassian-bundled-plugins\jackson-module-scala-2.10-provider-plugin-0.5.jar
<JIRA_INSTALL>\atlassian-jira\WEB-INF\lib\jackson-1.0.jar
<JIRA_INSTALL>\atlassian-jira\WEB-INF\lib\jackson-core-asl-1.9.13-atlassian-1.jar
<JIRA_INSTALL>\atlassian-jira\WEB-INF\lib\jackson-mapper-asl-1.9.13-atlassian-1.jar