-
Public Security Vulnerability
-
Resolution: Fixed
-
Low (View bug fix roadmap)
-
8.13.10, 8.19.0
-
None
-
7.2
-
High
-
CVE-2021-39128
Affected versions of Atlassian Jira Server or Data Center using the Jira Service Management addon allow remote attackers with JIRA Administrators access to execute arbitrary Java code via a server-side template injection vulnerability in the Email Template feature.
The affected versions of Jira Server or Data Center are before version 8.13.12, and from version 8.14.0 before 8.19.1.
*Affected versions:*
- version < 8.13.12
- 8.14.0 ≤ version < 8.19.1
*Fixed versions:*
- 8.13.12
- 8.19.1
- 8.20.0
- 8.21.0
[JRASERVER-72804] Template Injection in Email Templates leads to RCE on Jira Service Management Server - CVE-2021-39128
This is an independent assessment and you should evaluate its applicability to your own IT environment.
CVSS v3 score: 7.2 => High severity
Exploitability Metrics
| Attack Vector | Network |
|---|---|
| Attack Complexity | Low |
| Privileges Required | High |
| User Interaction | None |
Scope Metric
| Scope | Unchanged |
|---|
Impact Metrics
| Confidentiality | High |
|---|---|
| Integrity | High |
| Availability | High |
https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Hello,
The description is not clear at all regarding CVE Jira Service Management addon ? what does that mean is it an addon installed on JIRA server/Data center or the JIRA service management server/Data center(since the JIRA SM run a JIRA version) and could you explain further how the attacker can exploit ? there should be some W.A just incase one is not able to do upgrade. There is no explanation here https://www.atlassian.com/trust/security/advisories
Kind regards,
Moses