Uploaded image for project: 'Jira Service Management Data Center'
  1. Jira Service Management Data Center
  2. JSDSERVER-8665

Template Injection in Email Templates leads to code execution on Jira Service Management Server - CVE-2021-39115

XMLWordPrintable

    • 7.2
    • High
    • CVE-2021-39115

      Affected versions of Atlassian Jira Service Management Server and Data Center allow remote attackers with "Jira Administrators" access to execute arbitrary Java code or run arbitrary system commands via a Server_Side Template Injection vulnerability in the Email Template feature.

      The affected versions are before version 4.13.9, and from version 4.14.0 before 4.18.0.

       

      Affected versions:

      • version < 4.13.9
      • 4.14.0 ≤ version < 4.18.0

      Fixed versions:

      • 4.13.9
      • 4.18.0  

       

          Form Name

            [JSDSERVER-8665] Template Injection in Email Templates leads to code execution on Jira Service Management Server - CVE-2021-39115

            Security Metrics Bot made changes -
            CVE ID New: CVE-2021-39115
            AB made changes -
            Security Original: Atlassian Staff [ 10750 ]
            AB made changes -
            Resolution New: Fixed [ 1 ]
            Status Original: Draft [ 12872 ] New: Published [ 12873 ]
            AB made changes -
            Labels Original: advisory advisory-to-release dont-import security New: CVE-2021-39115 advisory advisory-to-release dont-import security
            AB made changes -
            Summary Original: Template Injection in Email Templates leads to code execution on Jira Service Management Server - CVE-in progress New: Template Injection in Email Templates leads to code execution on Jira Service Management Server - CVE-2021-39115
            AB made changes -
            Summary Original: Template Injection in Email Templates leads to code execution on Jira Service Management Server - CVE-PENDING New: Template Injection in Email Templates leads to code execution on Jira Service Management Server - CVE-in progress
            AB made changes -
            Summary Original: Template Injection in Email Templates leads to code execution on Jira Service Management Server - CVE-TODO New: Template Injection in Email Templates leads to code execution on Jira Service Management Server - CVE-PENDING
            AB made changes -
            Summary Original: Template Injection in Email Templates leads to code execution on Jira Service Management Server New: Template Injection in Email Templates leads to code execution on Jira Service Management Server - CVE-TODO
            AB made changes -
            Description Original: Affected versions of Atlassian Jira Service Management Server and Data Center allow remote attackers with "Jira Administrators" access to execute arbitrary Java code or run arbitrary system commands via a Server_Side Template Injection vulnerability in the Email Template feature.

                          		New: Affected versions of Atlassian Jira Service Management Server and Data Center allow remote attackers with "Jira Administrators" access to execute arbitrary Java code or run arbitrary system commands via a Server_Side Template Injection vulnerability in the Email Template feature.

            The affected versions are before version 4.13.9, and from version 4.14.0 before 4.18.0.

             

            *Affected versions:*
             * version < 4.13.9
             * 4.14.0 ≤ version < 4.18.0

            *Fixed versions:*
             * 4.13.9
             * 4.18.0  

             
            AB made changes -
            Fix Version/s New: 4.13.9 [ 97190 ]
            Fix Version/s New: 4.18.0 [ 95195 ]
            Fix Version/s Original: 8.18.0 [ 95095 ]
            Fix Version/s Original: 8.13.9 [ 95696 ]
            Key Original: JRASERVER-72740 New: JSDSERVER-8665
            Affects Version/s New: 4.5.18 [ 96590 ]
            Affects Version/s New: 4.17.1 [ 95194 ]
            Affects Version/s New: 4.13.8 [ 95593 ]
            Affects Version/s Original: 8.13.8 [ 95099 ]
            Affects Version/s Original: 8.17.1 [ 95401 ]
            Affects Version/s Original: 8.5.18 [ 95697 ]
            Project Original: Jira Server and Data Center [ 10240 ] New: Jira Service Management Server and Data Center [ 15611 ]

              Unassigned Unassigned
              security-metrics-bot Security Metrics Bot
              Votes:
              0 Vote for this issue
              Watchers:
              8 Start watching this issue

                Created:
                Updated:
                Resolved: