-
Public Security Vulnerability
-
Resolution: Fixed
-
Highest
-
5.0.0, (22)
5.4.0, 5.4.1, 5.5.0, 5.5.1, 5.4.2, 5.6.0, 5.4.3, 5.7.0, 5.4.4, 5.8.0, 5.4.5, 5.4.6, 5.9.0, 5.4.7, 5.4.8, 5.10.0, 5.4.9, 5.11.0, 5.4.10, 5.11.1, 5.4.11, 5.4.12 -
None
-
None
-
9.8
-
Critical
-
CVE-2022-1471
-
Atlassian (Internal)
-
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
-
RCE (Remote Code Execution)
-
Jira Service Management Data Center, Jira Service Management Server
Summary of Vulnerability
Multiple Atlassian Data Center and Server Products use the SnakeYAML library for Java, which is susceptible to a deserialization flaw that can lead to RCE (Remote Code Execution).
Atlassian Cloud sites are not affected by this vulnerability. If your site is accessed via an atlassian.net domain, it is hosted by Atlassian and is not vulnerable to this issue.
Affected Versions
| Product | Affected Versions |
|---|---|
| Jira Service Management Data Center and Server |
|
Fixed Versions
| Product | Action |
|---|---|
| Automation for Jira (A4J) Marketplace App | Patch to the following fixed versions or later 9.0.2 8.2.4 Mitigation(s) Upgrade via the Universal Plugin Manager (UPM).  See breaking changes in A4J 9.0+ for more info. |
| Jira Service Management Data Center and Server | Patch to the following fixed versions or later 5.11.2 5.12.0 (LTS) 5.4.14 (LTS) Upgrading Jira to a fixed version is also required. |
[JSDSERVER-14906] RCE (Remote Code Execution) in Jira Service Management Data Center and Server - CVE-2022-1471
| Remote Link | New: This issue links to "Page (Confluence)" [ 846286 ] |
| Resolution | New: Fixed [ 1 ] | |
| Security | Original: Atlassian Staff [ 10750 ] | |
| Status | Original: Draft [ 12872 ] | New: Published [ 12873 ] |
| Description |
Original:
h2. Summary of Vulnerability
Multiple Atlassian Data Center and Server Products use the SnakeYAML library for Java, which is susceptible to a deserialization flaw that can lead to RCE (Remote Code Execution). (i) _Atlassian Cloud sites are not affected by this vulnerability. If your site is accessed via an [atlassian.net|http://atlassian.net/] domain, it is hosted by Atlassian and is not vulnerable to this issue._ h2. Affected Versions ||Product||Affected Versions|| |Jira Service Management Data Center and Server| * 5.4.0 * 5.4.1 * 5.4.2 * 5.4.3 * 5.4.4 * 5.4.5 * 5.4.6 * 5.4.7 * 5.4.8 * 5.4.9 * 5.4.10 * 5.4.11 * 5.4.12 * 5.5.x * 5.6.x * 5.7.x * 5.8.x * 5.9.x * 5.10.x * 5.11.0 * 5.11.1| h2. Fixed Versions ||Product||Action|| |Automation for Jira (A4J) Marketplace App|*Patch to the following fixed versions or later* 9.0.2 8.2.4 *Mitigation(s)* Upgrade via the Universal Plugin Manager (UPM). (!) See [breaking changes in A4J 9.0+|https://confluence.atlassian.com/jirasoftware/jira-software-9-12-x-upgrade-notes-1318887012.html#JiraSoftware9.12.xupgradenotes-Breakingchanges] for more info. | |Jira Service Management Data Center and Server|*Patch to the following fixed versions or later* 5.11.2 5.12.0 (LTS) 5.4.13 (LTS) Upgrading Jira to a fixed version is also required.| |
New:
h2. Summary of Vulnerability
Multiple Atlassian Data Center and Server Products use the SnakeYAML library for Java, which is susceptible to a deserialization flaw that can lead to RCE (Remote Code Execution). (i) _Atlassian Cloud sites are not affected by this vulnerability. If your site is accessed via an [atlassian.net|http://atlassian.net/] domain, it is hosted by Atlassian and is not vulnerable to this issue._ h2. Affected Versions ||Product||Affected Versions|| |Jira Service Management Data Center and Server| * 5.4.0 * 5.4.1 * 5.4.2 * 5.4.3 * 5.4.4 * 5.4.5 * 5.4.6 * 5.4.7 * 5.4.8 * 5.4.9 * 5.4.10 * 5.4.11 * 5.4.12 * 5.5.x * 5.6.x * 5.7.x * 5.8.x * 5.9.x * 5.10.x * 5.11.0 * 5.11.1| h2. Fixed Versions ||Product||Action|| |Automation for Jira (A4J) Marketplace App|*Patch to the following fixed versions or later* 9.0.2 8.2.4 *Mitigation(s)* Upgrade via the Universal Plugin Manager (UPM). (!) See [breaking changes in A4J 9.0+|https://confluence.atlassian.com/jirasoftware/jira-software-9-12-x-upgrade-notes-1318887012.html#JiraSoftware9.12.xupgradenotes-Breakingchanges] for more info. | |Jira Service Management Data Center and Server|*Patch to the following fixed versions or later* 5.11.2 5.12.0 (LTS) 5.4.14 (LTS) Upgrading Jira to a fixed version is also required.| |
| Fix Version/s | Original: 5.4.13 [ 106413 ] | |
| Fix Version/s | New: 5.4.14 [ 106507 ] |
| Affects Version/s | Original: 5.11.2 [ 106107 ] | |
| Affects Version/s | Original: 5.10.2 [ 105914 ] | |
| Affects Version/s | Original: 5.10.1 [ 105791 ] | |
| Affects Version/s | New: 5.4.0 [ 102903 ] | |
| Affects Version/s | New: 5.7.0 [ 104602 ] | |
| Affects Version/s | New: 5.8.0 [ 104629 ] | |
| Affects Version/s | New: 5.9.0 [ 104928 ] | |
| Affects Version/s | New: 5.11.0 [ 105890 ] |
| Description |
Original:
h2. Summary of Vulnerability
Multiple Atlassian Data Center and Server Products use the SnakeYAML library for Java, which is susceptible to a deserialization flaw that can lead to RCE (Remote Code Execution). (i) _Atlassian Cloud sites are not affected by this vulnerability. If your site is accessed via an [atlassian.net|http://atlassian.net/] domain, it is hosted by Atlassian and is not vulnerable to this issue._ h2. Affected Versions ||Product||Affected Versions|| |Jira Service Management Data Center and Server| * 5.4.0 * 5.4.1 * 5.4.2 * 5.4.3 * 5.4.4 * 5.4.5 * 5.4.6 * 5.4.7 * 5.4.8 * 5.4.9 * 5.4.10 * 5.4.11 * 5.4.12 * 5.5.x * 5.6.x * 5.7.x * 5.8.x * 5.9.x * 5.10.x * 5.11.0 * 5.11.1| h2. Fixed Versions ||Product||Action|| |Automation for Jira (A4J) Marketplace App|*Patch to the following fixed versions or later* 9.0.2 8.2.4 *Mitigation(s)* Upgrade via the Universal Plugin Manager (UPM). (!) See [breaking changes in A4J 9.0+|https://confluence.atlassian.com/jirasoftware/jira-software-9-12-x-upgrade-notes-1318887012.html#JiraSoftware9.12.xupgradenotes-Breakingchanges] for more info. | |Jira Service Management Data Center and Server|*Patch to the following fixed versions or later* 5.11.2 5.12.0 (LTS) 5.4.13 (LTS) Upgrading Jira to a fixed version is also required.| |
New:
h2. Summary of Vulnerability
Multiple Atlassian Data Center and Server Products use the SnakeYAML library for Java, which is susceptible to a deserialization flaw that can lead to RCE (Remote Code Execution). (i) _Atlassian Cloud sites are not affected by this vulnerability. If your site is accessed via an [atlassian.net|http://atlassian.net/] domain, it is hosted by Atlassian and is not vulnerable to this issue._ h2. Affected Versions ||Product||Affected Versions|| |Jira Service Management Data Center and Server| * 5.4.0 * 5.4.1 * 5.4.2 * 5.4.3 * 5.4.4 * 5.4.5 * 5.4.6 * 5.4.7 * 5.4.8 * 5.4.9 * 5.4.10 * 5.4.11 * 5.4.12 * 5.5.x * 5.6.x * 5.7.x * 5.8.x * 5.9.x * 5.10.x * 5.11.0 * 5.11.1| h2. Fixed Versions ||Product||Action|| |Automation for Jira (A4J) Marketplace App|*Patch to the following fixed versions or later* 9.0.2 8.2.4 *Mitigation(s)* Upgrade via the Universal Plugin Manager (UPM). (!) See [breaking changes in A4J 9.0+|https://confluence.atlassian.com/jirasoftware/jira-software-9-12-x-upgrade-notes-1318887012.html#JiraSoftware9.12.xupgradenotes-Breakingchanges] for more info. | |Jira Service Management Data Center and Server|*Patch to the following fixed versions or later* 5.11.2 5.12.0 (LTS) 5.4.13 (LTS) Upgrading Jira to a fixed version is also required.| |
| Description |
Original:
h2. Summary of Vulnerability
Multiple Atlassian Data Center and Server Products use the SnakeYAML library for Java, which is susceptible to a deserialization flaw that can lead to RCE (Remote Code Execution). (i) _Atlassian Cloud sites are not affected by this vulnerability. If your site is accessed via an [atlassian.net|http://atlassian.net/] domain, it is hosted by Atlassian and is not vulnerable to this issue._ h2. Affected Versions ||Product||Affected Versions|| |Jira Service Management Data Center and Server| * 5.4.0 * 5.4.1 * 5.4.2 * 5.4.3 * 5.4.4 * 5.4.5 * 5.4.6 * 5.4.7 * 5.4.8 * 5.4.9 * 5.4.10 * 5.4.11 * 5.4.12 * 5.5.x * 5.6.x * 5.7.x * 5.8.x * 5.9.x * 5.10.x * 5.11.0 * 5.11.1| h2. Fixed Versions ||Product||Action|| |Automation for Jira (A4J) Marketplace App|*Patch to the following fixed versions or later* 9.0.2 8.2.4 *Mitigation(s)* Upgrade via the Universal Plugin Manager (UPM). (!) See [breaking changes in A4J 9.0+|https://confluence.atlassian.com/jirasoftware/jira-software-9-12-x-upgrade-notes-1318887012.html#JiraSoftware9.12.xupgradenotes-Breakingchanges] for more info. | |Jira Service Management Data Center and Server|*Patch to the following fixed versions or later* 5.11.2 5.12.0 (LTS) 5.4.13 (LTS) Upgrading Jira to a fixed version is also required. *Mitigation(s)* If you are unable to upgrade your product instance to a fixed version, you can completely mitigate this vulnerability by upgrading your Automation for Jira (A4J) app to a fixed version via the Universal Plugin Manager (UPM). (!) See [breaking changes in A4J 9.0+|https://confluence.atlassian.com/jirasoftware/jira-software-9-12-x-upgrade-notes-1318887012.html#JiraSoftware9.12.xupgradenotes-Breakingchanges] for more info (also bundled with [JSM 5.11+|https://confluence.atlassian.com/servicemanagement/jira-service-management-5-11-x-release-notes-1252000911.html#JiraServiceManagement5.11.xreleasenotes-jira-allowlist])\| | | | | |
New:
h2. Summary of Vulnerability
Multiple Atlassian Data Center and Server Products use the SnakeYAML library for Java, which is susceptible to a deserialization flaw that can lead to RCE (Remote Code Execution). (i) _Atlassian Cloud sites are not affected by this vulnerability. If your site is accessed via an [atlassian.net|http://atlassian.net/] domain, it is hosted by Atlassian and is not vulnerable to this issue._ h2. Affected Versions ||Product||Affected Versions|| |Jira Service Management Data Center and Server| * 5.4.0 * 5.4.1 * 5.4.2 * 5.4.3 * 5.4.4 * 5.4.5 * 5.4.6 * 5.4.7 * 5.4.8 * 5.4.9 * 5.4.10 * 5.4.11 * 5.4.12 * 5.5.x * 5.6.x * 5.7.x * 5.8.x * 5.9.x * 5.10.x * 5.11.0 * 5.11.1| h2. Fixed Versions ||Product||Action|| |Automation for Jira (A4J) Marketplace App|*Patch to the following fixed versions or later* 9.0.2 8.2.4 *Mitigation(s)* Upgrade via the Universal Plugin Manager (UPM). (!) See [breaking changes in A4J 9.0+|https://confluence.atlassian.com/jirasoftware/jira-software-9-12-x-upgrade-notes-1318887012.html#JiraSoftware9.12.xupgradenotes-Breakingchanges] for more info. | |Jira Service Management Data Center and Server|*Patch to the following fixed versions or later* 5.11.2 5.12.0 (LTS) 5.4.13 (LTS) Upgrading Jira to a fixed version is also required.| |
| Description |
Original:
h2. Summary of Vulnerability
Multiple Atlassian Data Center and Server Products use the SnakeYAML library for Java, which is susceptible to a deserialization flaw that can lead to RCE (Remote Code Execution). (i) _Atlassian Cloud sites are not affected by this vulnerability. If your site is accessed via an [atlassian.net|http://atlassian.net/] domain, it is hosted by Atlassian and is not vulnerable to this issue._ h2. Affected Versions ||Product||Affected Versions|| |Jira Service Management Data Center and Server| * 5.4.0 * 5.4.1 * 5.4.2 * 5.4.3 * 5.4.4 * 5.4.5 * 5.4.6 * 5.4.7 * 5.4.8 * 5.4.9 * 5.4.10 * 5.4.11 * 5.4.12 * 5.5.x * 5.6.x * 5.7.x * 5.8.x * 5.9.x * 5.10.x * 5.11.0 * 5.11.1| h2. Fixed Versions ||Product||Action|| |Automation for Jira (A4J) Marketplace App|*Patch to the following fixed versions or later* 9.0.2 8.2.4 *Mitigation(s)* Upgrade via the Universal Plugin Manager (UPM). (!) See [breaking changes in A4J 9.0+|https://confluence.atlassian.com/jirasoftware/jira-software-9-12-x-upgrade-notes-1318887012.html#JiraSoftware9.12.xupgradenotes-Breakingchanges] for more info. | |Jira Service Management Data Center and Server| *Patch to the following fixed versions or later*{*}{*}5.11.2 5.12.0 (LTS) 5.4.13 (LTS) Upgrading Jira to a fixed version is also required. *Mitigation(s)* If you are unable to upgrade your product instance to a fixed version, you can completely mitigate this vulnerability by upgrading your Automation for Jira (A4J) app to a fixed version via the Universal Plugin Manager (UPM). (!) See [breaking changes in A4J 9.0+|https://confluence.atlassian.com/jirasoftware/jira-software-9-12-x-upgrade-notes-1318887012.html#JiraSoftware9.12.xupgradenotes-Breakingchanges] for more info (also bundled with [JSM 5.11+|https://confluence.atlassian.com/servicemanagement/jira-service-management-5-11-x-release-notes-1252000911.html#JiraServiceManagement5.11.xreleasenotes-jira-allowlist])\| | |
New:
h2. Summary of Vulnerability
Multiple Atlassian Data Center and Server Products use the SnakeYAML library for Java, which is susceptible to a deserialization flaw that can lead to RCE (Remote Code Execution). (i) _Atlassian Cloud sites are not affected by this vulnerability. If your site is accessed via an [atlassian.net|http://atlassian.net/] domain, it is hosted by Atlassian and is not vulnerable to this issue._ h2. Affected Versions ||Product||Affected Versions|| |Jira Service Management Data Center and Server| * 5.4.0 * 5.4.1 * 5.4.2 * 5.4.3 * 5.4.4 * 5.4.5 * 5.4.6 * 5.4.7 * 5.4.8 * 5.4.9 * 5.4.10 * 5.4.11 * 5.4.12 * 5.5.x * 5.6.x * 5.7.x * 5.8.x * 5.9.x * 5.10.x * 5.11.0 * 5.11.1| h2. Fixed Versions ||Product||Action|| |Automation for Jira (A4J) Marketplace App|*Patch to the following fixed versions or later* 9.0.2 8.2.4 *Mitigation(s)* Upgrade via the Universal Plugin Manager (UPM). (!) See [breaking changes in A4J 9.0+|https://confluence.atlassian.com/jirasoftware/jira-software-9-12-x-upgrade-notes-1318887012.html#JiraSoftware9.12.xupgradenotes-Breakingchanges] for more info. | |Jira Service Management Data Center and Server|*Patch to the following fixed versions or later* 5.11.2 5.12.0 (LTS) 5.4.13 (LTS) Upgrading Jira to a fixed version is also required. *Mitigation(s)* If you are unable to upgrade your product instance to a fixed version, you can completely mitigate this vulnerability by upgrading your Automation for Jira (A4J) app to a fixed version via the Universal Plugin Manager (UPM). (!) See [breaking changes in A4J 9.0+|https://confluence.atlassian.com/jirasoftware/jira-software-9-12-x-upgrade-notes-1318887012.html#JiraSoftware9.12.xupgradenotes-Breakingchanges] for more info (also bundled with [JSM 5.11+|https://confluence.atlassian.com/servicemanagement/jira-service-management-5-11-x-release-notes-1252000911.html#JiraServiceManagement5.11.xreleasenotes-jira-allowlist])\| | | | | |
| Description |
Original:
h2. Summary of Vulnerability
Multiple Atlassian Data Center and Server Products use the SnakeYAML library for Java, which is susceptible to a deserialization flaw that can lead to RCE (Remote Code Execution). (i) _Atlassian Cloud sites are not affected by this vulnerability. If your site is accessed via an [atlassian.net|http://atlassian.net/] domain, it is hosted by Atlassian and is not vulnerable to this issue._ h2. Affected Versions ||Product||Affected Versions|| |Jira Service Management Data Center and Server| * 5.4.0 * 5.4.1 * 5.4.2 * 5.4.3 * 5.4.4 * 5.4.5 * 5.4.6 * 5.4.7 * 5.4.8 * 5.4.9 * 5.4.10 * 5.4.11 * 5.4.12 * 5.5.x * 5.6.x * 5.7.x * 5.8.x * 5.9.x * 5.10.x * 5.11.0 * 5.11.1| h2. Fixed Versions ||Product||Action|| |Automation for Jira (A4J) Marketplace App|*Patch to the following fixed versions or later* 9.0.2 8.2.4 *Mitigation(s)* Upgrade via the Universal Plugin Manager (UPM). (!) See [breaking changes in A4J 9.0+|https://confluence.atlassian.com/jirasoftware/jira-software-9-12-x-upgrade-notes-1318887012.html#JiraSoftware9.12.xupgradenotes-Breakingchanges] for more info. | |Jira Service Management Data Center and Server|*Patch to the following fixed versions or later*| 5.11.2 5.12.0 (LTS) 5.4.13 (LTS) Upgrading Jira to a fixed version is also required. *Mitigation(s)* If you are unable to upgrade your product instance to a fixed version, you can completely mitigate this vulnerability by upgrading your Automation for Jira (A4J) app to a fixed version via the Universal Plugin Manager (UPM). (!) See [breaking changes in A4J 9.0+|https://confluence.atlassian.com/jirasoftware/jira-software-9-12-x-upgrade-notes-1318887012.html#JiraSoftware9.12.xupgradenotes-Breakingchanges] for more info (also bundled with [JSM 5.11+|https://confluence.atlassian.com/servicemanagement/jira-service-management-5-11-x-release-notes-1252000911.html#JiraServiceManagement5.11.xreleasenotes-jira-allowlist])| |
New:
h2. Summary of Vulnerability
Multiple Atlassian Data Center and Server Products use the SnakeYAML library for Java, which is susceptible to a deserialization flaw that can lead to RCE (Remote Code Execution). (i) _Atlassian Cloud sites are not affected by this vulnerability. If your site is accessed via an [atlassian.net|http://atlassian.net/] domain, it is hosted by Atlassian and is not vulnerable to this issue._ h2. Affected Versions ||Product||Affected Versions|| |Jira Service Management Data Center and Server| * 5.4.0 * 5.4.1 * 5.4.2 * 5.4.3 * 5.4.4 * 5.4.5 * 5.4.6 * 5.4.7 * 5.4.8 * 5.4.9 * 5.4.10 * 5.4.11 * 5.4.12 * 5.5.x * 5.6.x * 5.7.x * 5.8.x * 5.9.x * 5.10.x * 5.11.0 * 5.11.1| h2. Fixed Versions ||Product||Action|| |Automation for Jira (A4J) Marketplace App|*Patch to the following fixed versions or later* 9.0.2 8.2.4 *Mitigation(s)* Upgrade via the Universal Plugin Manager (UPM). (!) See [breaking changes in A4J 9.0+|https://confluence.atlassian.com/jirasoftware/jira-software-9-12-x-upgrade-notes-1318887012.html#JiraSoftware9.12.xupgradenotes-Breakingchanges] for more info. | |Jira Service Management Data Center and Server| *Patch to the following fixed versions or later*{*}{*}5.11.2 5.12.0 (LTS) 5.4.13 (LTS) Upgrading Jira to a fixed version is also required. *Mitigation(s)* If you are unable to upgrade your product instance to a fixed version, you can completely mitigate this vulnerability by upgrading your Automation for Jira (A4J) app to a fixed version via the Universal Plugin Manager (UPM). (!) See [breaking changes in A4J 9.0+|https://confluence.atlassian.com/jirasoftware/jira-software-9-12-x-upgrade-notes-1318887012.html#JiraSoftware9.12.xupgradenotes-Breakingchanges] for more info (also bundled with [JSM 5.11+|https://confluence.atlassian.com/servicemanagement/jira-service-management-5-11-x-release-notes-1252000911.html#JiraServiceManagement5.11.xreleasenotes-jira-allowlist])\| | |
| Description |
Original:
h2. Summary of Vulnerability
Multiple Atlassian Data Center and Server Products use the SnakeYAML library for Java, which is susceptible to a deserialization flaw that can lead to RCE (Remote Code Execution). (i) _Atlassian Cloud sites are not affected by this vulnerability. If your site is accessed via an [atlassian.net|http://atlassian.net/] domain, it is hosted by Atlassian and is not vulnerable to this issue._ h2. Affected Versions ||Product||Affected Versions|| |Jira Service Management Data Center and Server| * 5.4.0 * 5.4.1 * 5.4.2 * 5.4.3 * 5.4.4 * 5.4.5 * 5.4.6 * 5.4.7 * 5.4.8 * 5.4.9 * 5.4.10 * 5.4.11 * 5.4.12 * 5.5.x * 5.6.x * 5.7.x * 5.8.x * 5.9.x * 5.10.x * 5.11.0 * 5.11.1| h2. Fixed Versions ||Product||Action|| |Automation for Jira (A4J) Marketplace App|*Patch to the following fixed versions or later* 9.0.2 8.2.4 Mitigation(s) Upgrade via the Universal Plugin Manager (UPM). (!) See [breaking changes in A4J 9.0+|https://confluence.atlassian.com/jirasoftware/jira-software-9-12-x-upgrade-notes-1318887012.html#JiraSoftware9.12.xupgradenotes-Breakingchanges] for more info. | |Jira Service Management Data Center and Server|*Patch to the following fixed versions or later*| 5.11.2 5.12.0 (LTS) 5.4.13 (LTS) Upgrading Jira to a fixed version is also required. *Mitigation(s)* If you are unable to upgrade your product instance to a fixed version, you can completely mitigate this vulnerability by upgrading your Automation for Jira (A4J) app to a fixed version via the Universal Plugin Manager (UPM). (!) See [breaking changes in A4J 9.0+|https://confluence.atlassian.com/jirasoftware/jira-software-9-12-x-upgrade-notes-1318887012.html#JiraSoftware9.12.xupgradenotes-Breakingchanges] for more info (also bundled with [JSM 5.11+|https://confluence.atlassian.com/servicemanagement/jira-service-management-5-11-x-release-notes-1252000911.html#JiraServiceManagement5.11.xreleasenotes-jira-allowlist])| |
New:
h2. Summary of Vulnerability
Multiple Atlassian Data Center and Server Products use the SnakeYAML library for Java, which is susceptible to a deserialization flaw that can lead to RCE (Remote Code Execution). (i) _Atlassian Cloud sites are not affected by this vulnerability. If your site is accessed via an [atlassian.net|http://atlassian.net/] domain, it is hosted by Atlassian and is not vulnerable to this issue._ h2. Affected Versions ||Product||Affected Versions|| |Jira Service Management Data Center and Server| * 5.4.0 * 5.4.1 * 5.4.2 * 5.4.3 * 5.4.4 * 5.4.5 * 5.4.6 * 5.4.7 * 5.4.8 * 5.4.9 * 5.4.10 * 5.4.11 * 5.4.12 * 5.5.x * 5.6.x * 5.7.x * 5.8.x * 5.9.x * 5.10.x * 5.11.0 * 5.11.1| h2. Fixed Versions ||Product||Action|| |Automation for Jira (A4J) Marketplace App|*Patch to the following fixed versions or later* 9.0.2 8.2.4 *Mitigation(s)* Upgrade via the Universal Plugin Manager (UPM). (!) See [breaking changes in A4J 9.0+|https://confluence.atlassian.com/jirasoftware/jira-software-9-12-x-upgrade-notes-1318887012.html#JiraSoftware9.12.xupgradenotes-Breakingchanges] for more info. | |Jira Service Management Data Center and Server|*Patch to the following fixed versions or later*| 5.11.2 5.12.0 (LTS) 5.4.13 (LTS) Upgrading Jira to a fixed version is also required. *Mitigation(s)* If you are unable to upgrade your product instance to a fixed version, you can completely mitigate this vulnerability by upgrading your Automation for Jira (A4J) app to a fixed version via the Universal Plugin Manager (UPM). (!) See [breaking changes in A4J 9.0+|https://confluence.atlassian.com/jirasoftware/jira-software-9-12-x-upgrade-notes-1318887012.html#JiraSoftware9.12.xupgradenotes-Breakingchanges] for more info (also bundled with [JSM 5.11+|https://confluence.atlassian.com/servicemanagement/jira-service-management-5-11-x-release-notes-1252000911.html#JiraServiceManagement5.11.xreleasenotes-jira-allowlist])| |