Affected versions of Atlassian Jira Service Management Server and Data Center allow remote attackers with "Jira Administrators" access to execute arbitrary Java code or run arbitrary system commands via a Server_Side Template Injection vulnerability in the Email Template feature.

The affected versions are before version 4.13.9, and from version 4.14.0 before 4.18.0.

Affected versions:

• version < 4.13.9
• 4.14.0 ≤ version < 4.18.0

Fixed versions:

• 4.13.9
• 4.18.0