-
Public Security Vulnerability
-
Resolution: Fixed
-
Highest
-
5.0.0, 5.4.0, 5.4.1, 5.5.0, 5.5.1, 5.4.2, 5.6.0, 5.4.3, 5.7.0, 5.4.4, 5.8.0, 5.4.5, 5.4.6, 5.9.0, 5.4.7, 5.4.8, 5.10.0, 5.4.9, 5.11.0, 5.4.10, 5.11.1, 5.4.11, 5.4.12
-
None
-
None
-
9.8
-
Critical
-
CVE-2022-1471
-
Atlassian (Internal)
-
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
-
RCE (Remote Code Execution)
-
Jira Service Management Data Center, Jira Service Management Server
Summary of Vulnerability
Multiple Atlassian Data Center and Server Products use the SnakeYAML library for Java, which is susceptible to a deserialization flaw that can lead to RCE (Remote Code Execution).
Atlassian Cloud sites are not affected by this vulnerability. If your site is accessed via an atlassian.net domain, it is hosted by Atlassian and is not vulnerable to this issue.
Affected Versions
| Product | Affected Versions |
|---|---|
| Jira Service Management Data Center and Server |
|
Fixed Versions
| Product | Action |
|---|---|
| Automation for Jira (A4J) Marketplace App | Patch to the following fixed versions or later 9.0.2 8.2.4 Mitigation(s) Upgrade via the Universal Plugin Manager (UPM).  See breaking changes in A4J 9.0+ for more info. |
| Jira Service Management Data Center and Server | Patch to the following fixed versions or later 5.11.2 5.12.0 (LTS) 5.4.14 (LTS) Upgrading Jira to a fixed version is also required. |