• Type: Public Security Vulnerability
• Resolution: Fixed
• Priority: Low (View bug fix roadmap)
• Fix Version/s: 8.21.0, 8.13.15, 8.20.3
• Affects Version/s: 8.20.1, 8.13.14
• Component/s: None
• Labels:

  • advisory
  • advisory-to-release
  • dont-import
  • security

[JRASERVER-73067] Email Template Injection to RCE - CVE-2021-43947

Collapse comment: JIRATFS added a comment - 24/Jul/2022 7:22 AM

JIRATFS added a comment - 24/Jul/2022 7:22 AM

how Can Fix This Problem?

Expand comment: JIRATFS added a comment - 24/Jul/2022 7:22 AM

JIRATFS added a comment - 24/Jul/2022 7:22 AM how Can Fix This Problem?

Collapse comment: Keith Schug added a comment - 28/Jun/2022 5:50 PM, Edited by Keith Schug - 01/Jul/2022 2:42 PM

Keith Schug added a comment - 28/Jun/2022 5:50 PM - edited

Is this still an issue in version 8.20.10?

Expand comment: Keith Schug added a comment - 28/Jun/2022 5:50 PM, Edited by Keith Schug - 01/Jul/2022 2:42 PM

Keith Schug added a comment - 28/Jun/2022 5:50 PM - edited Is this still an issue in version 8.20.10?

Collapse comment: Ravi Karanam added a comment - 21/Mar/2022 7:32 PM

Ravi Karanam added a comment - 21/Mar/2022 7:32 PM

We upgraded Jira to 8.20.2 recently and wanted to avoid another upgrade in short term.. is there any workaround to fix this?

Expand comment: Ravi Karanam added a comment - 21/Mar/2022 7:32 PM

Ravi Karanam added a comment - 21/Mar/2022 7:32 PM We upgraded Jira to 8.20.2 recently and wanted to avoid another upgrade in short term.. is there any workaround to fix this?

Collapse comment: Eric Gasior added a comment - 25/Feb/2022 6:53 PM, Edited by Eric Gasior - 25/Feb/2022 6:56 PM

Eric Gasior added a comment - 25/Feb/2022 6:53 PM - edited

X

Expand comment: Eric Gasior added a comment - 25/Feb/2022 6:53 PM, Edited by Eric Gasior - 25/Feb/2022 6:56 PM

Eric Gasior added a comment - 25/Feb/2022 6:53 PM - edited X

Collapse comment: Amit Srivastava added a comment - 17/Feb/2022 2:59 PM

Amit Srivastava added a comment - 17/Feb/2022 2:59 PM

We have upgraded our Jira in 8.13.17 version and still showing this vulnerability on our Jira instance server.

So, this vulnerability is yet not resolved.

Also, please suggest, how can we secure our instance from this vulnerability, is there any patch/dark feature is required to add?

Please look into this on priority. 

Regards,

Amit

Expand comment: Amit Srivastava added a comment - 17/Feb/2022 2:59 PM

Amit Srivastava added a comment - 17/Feb/2022 2:59 PM We have upgraded our Jira in 8.13.17 version and still showing this vulnerability on our Jira instance server. So, this vulnerability is yet not resolved. Also, please suggest, how can we secure our instance from this vulnerability, is there any patch/dark feature is required to add? Please look into this on priority.  Regards, Amit

Collapse comment: lance_lyons added a comment - 14/Feb/2022 9:29 PM

lance_lyons added a comment - 14/Feb/2022 9:29 PM

Why cant you guys make a secure product.  These security vulnerabilities are causing us to have to upgrade Jira every month.

Expand comment: lance_lyons added a comment - 14/Feb/2022 9:29 PM

lance_lyons added a comment - 14/Feb/2022 9:29 PM Why cant you guys make a secure product.  These security vulnerabilities are causing us to have to upgrade Jira every month.

Collapse comment: Matthew Hope added a comment - 14/Jan/2022 9:36 AM, Edited by Matthew Hope - 14/Jan/2022 4:51 PM

Matthew Hope added a comment - 14/Jan/2022 9:36 AM - edited

It seems that this vulnerability is being reported elsewhere as CRITICAL not high (with a CVSS score of 9) - https://www.cvedetails.com/cve/CVE-2021-43947/

Is Atlassian happy to stand by the CVSS score reported here of 7.2?

EDIT: it seems the cvedetails score is based on the CVSS v2 scoring criteria

Expand comment: Matthew Hope added a comment - 14/Jan/2022 9:36 AM, Edited by Matthew Hope - 14/Jan/2022 4:51 PM

Matthew Hope added a comment - 14/Jan/2022 9:36 AM - edited It seems that this vulnerability is being reported elsewhere as CRITICAL not high (with a CVSS score of 9) - https://www.cvedetails.com/cve/CVE-2021-43947/ Is Atlassian happy to stand by the CVSS score reported here of 7.2? EDIT: it seems the cvedetails score is based on the CVSS v2 scoring criteria

Collapse comment: AB added a comment - 05/Jan/2022 3:47 AM, Edited by Security Metrics Bot - 09/Jan/2022 8:29 PM

AB added a comment - 05/Jan/2022 3:47 AM - edited

This is an independent assessment and you should evaluate its applicability to your own IT environment.

CVSS v3 score: 7.2 => High severity

Exploitability Metrics

Attack Vector	Network
Attack Complexity	Low
Privileges Required	High
User Interaction	None

Scope Metric

Scope	Unchanged

Impact Metrics

Confidentiality	High
Integrity	High
Availability	High

https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Expand comment: AB added a comment - 05/Jan/2022 3:47 AM, Edited by Security Metrics Bot - 09/Jan/2022 8:29 PM

AB added a comment - 05/Jan/2022 3:47 AM - edited This is an independent assessment and you should evaluate its applicability to your own IT environment. CVSS v3 score: 7.2 => High severity Exploitability Metrics Attack Vector Network Attack Complexity Low Privileges Required High User Interaction None Scope Metric Scope Unchanged Impact Metrics Confidentiality High Integrity High Availability High https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H