[JRASERVER-73581] Jira Software Server Template RCE via Email Templates feature

Type: Public Security Vulnerability
Resolution: Fixed
Priority: Low (View bug fix roadmap)
Fix Version/s: 8.13.19, 8.20.7, 8.22.1, 9.0.0
Affects Version/s: 8.22.0, 8.13.18, 8.20.6
Component/s: Security
Labels:

CVSS Score:
7.2
CVSS Severity:
High

This issue exists to document that a security improvement in the way that Jira Server and Data Center use templates has been implemented.

Affected versions of Atlassian Jira Software Server and Data Center allow a system administrator to execute arbitrary code via a remote code execution in the Email Templates feature.

Affected versions:

version < 8.13.19,
8.14.0 ≤ version < 8.20.7,
8.21.0 ≤ version < 8.22.1,
8.23.0 ≤ version < 9.0.0

Fixed versions:

8.13.19,
8.20.7,
8.22.1,
9.0.0

relates to

JRASERVER-73072 Template Injection in Email Templates leads to code execution on Jira Service Management Server - CVE-2021-43944

Published

rshah2 added a comment - 16/Mar/2022 4:40 AM

This is an independent assessment and you should evaluate its applicability to your own IT environment.

CVSS v3 score: 7.2 => High severity

Exploitability Metrics

Attack Vector	Network
Attack Complexity	Low
Privileges Required	High
User Interaction	None

Scope Metric

Scope	Unchanged

Impact Metrics

Confidentiality	High
Integrity	High
Availability	High

https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

rshah2 added a comment - 16/Mar/2022 4:40 AM This is an independent assessment and you should evaluate its applicability to your own IT environment. CVSS v3 score: 7.2 => High severity Exploitability Metrics Attack Vector Network Attack Complexity Low Privileges Required High User Interaction None Scope Metric Scope Unchanged Impact Metrics Confidentiality High Integrity High Availability High https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Assignee:: Unassigned

Reporter:: Security Metrics Bot

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Created:: 15/Mar/2022 7:56 PM

Updated:: 04/Oct/2022 6:20 AM

Resolved:: 04/Oct/2022 6:19 AM

Jira Data Center

Details

Description

Attachments

Issue Links

Forms

Activity

Collapse comment: rshah2 added a comment - 16/Mar/2022 4:40 AM

Expand comment: rshah2 added a comment - 16/Mar/2022 4:40 AM

People

Dates