-
Public Security Vulnerability
-
Resolution: Fixed
-
Low (View bug fix roadmap)
-
8.13.13, 8.20.1
-
None
-
8.7
-
High
-
CVE-2021-43944
This issue exists to document that a security improvement in the way that Jira Server and Data Center use templates has been implemented.
Affected versions of Atlassian Jira Server and Data Center allow remote attackers with administrator permissions to execute arbitrary code via Template Injection leading to Remote Code Execution (RCE) in the Email Templates feature.
The affected versions are before version 8.13.15, and from version 8.14.0 before 8.20.3.
Affected versions:
- version < 8.13.15
- 8.14.0 ≤ version < 8.20.3
Fixed versions:
- 8.13.15
- 8.20.3
- 8.21.0
- is related to
-
-
- Published
-
- mentioned in
-
Page Failed to load
-
Page Failed to load
-
Page Failed to load
-
Page Failed to load
-
Page Loading...
-
-
-
-
-
-
-
-
| Form Name | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
[JRASERVER-73072] Template Injection in Email Templates leads to code execution on Jira Service Management Server - CVE-2021-43944
Hi Team, Please confirm if we upgrade the Jira version to 8.20.7 will it resolve the vulnerability.
If yes ,requesting you to update the latest version of 8.20.7 in Fixed version
This is an independent assessment and you should evaluate its applicability to your own IT environment.
CVSS v3 score: 8.7 => High severity
Exploitability Metrics
| Attack Vector | Network |
|---|---|
| Attack Complexity | Low |
| Privileges Required | High |
| User Interaction | None |
Scope Metric
| Scope | Changed |
|---|
Impact Metrics
| Confidentiality | High |
|---|---|
| Integrity | High |
| Availability | None |
https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N
On the title: "Template Injection in Email Templates leads to code execution on Jira Service Management Server"