We couldn't load all Actvitity tabs. Refresh the page to try again.
If the problem persists, contact your Jira admin.
IMPORTANT: JAC is a Public system and anyone on the internet will be able to view the data in the created JAC tickets. Please don’t include Customer or Sensitive data in the JAC ticket.

    • 9.8
    • Critical
    • CVE-2022-1471
    • Atlassian (Internal)
    • CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    • RCE (Remote Code Execution)
    • Jira Core Data Center, Jira Core Server, Jira Software Data Center, Jira Software Server

      Summary of Vulnerability

      Multiple Atlassian Data Center and Server Products use the SnakeYAML library for Java, which is susceptible to a deserialization flaw that can lead to RCE (Remote Code Execution).

       
      Atlassian Cloud sites are not affected by this vulnerability. If your site is accessed via an atlassian.net domain, it is hosted by Atlassian and is not vulnerable to this issue.

      Affected Versions

      Product Affected Versions
      Jira Core Data Center and Server
      Jira Software Data Center and Server
      • 9.4.0
      • 9.4.1
      • 9.4.2
      • 9.4.3
      • 9.4.4
      • 9.4.5
      • 9.4.6
      • 9.4.7
      • 9.4.8
      • 9.4.9
      • 9.4.10
      • 9.4.11
      • 9.4.12
      • 9.5.x
      • 9.6.x
      • 9.7.x
      • 9.8.x
      • 9.9.x
      • 9.10.x
      • 9.11.0
      • 9.11.1
      Automation for Jira (A4J) Marketplace App
      • 9.0.1
      • 9.0.0
      • <= 8.2.2

      Fixed Versions

       

      Product Fixed Versions
      Jira Software Data Center and Server
      Jira Core Data Center and Server
      Patch to the following fixed versions or later
      9.11.2
      9.12.0
      9.4.14
       
      Mitigation(s):
      If you are unable to upgrade your product instance to a fixed version, you can completely mitigate this vulnerability by upgrading your Automation for Jira (A4J) app to a fixed version via the Universal Plugin Manager (UPM).
       
      See breaking changes in A4J 9.0+ for more info (also bundled with Jira 9.11+)
      Automation for Jira (A4J) Marketplace App Patch to the following fixed versions or later
      9.0.2
      8.2.4
       
      Upgrade via the Universal Plugin Manager (UPM).
       
      See breaking changes in A4J 9.0+ for more info.

       

      For full descriptions of the above versions of Jira Data Center and Server, see the release notes. You can download the latest version of Jira Data Center and Server from the download center.

       

      For additional details, please see the full advisory.

      Support

      Comments on this ticket are not monitored. If you have questions or concerns regarding this advisory, please raise a support request at https://support.atlassian.com/

            Loading...
            IMPORTANT: JAC is a Public system and anyone on the internet will be able to view the data in the created JAC tickets. Please don’t include Customer or Sensitive data in the JAC ticket.

              • Icon: Public Security Vulnerability Public Security Vulnerability
              • Resolution: Fixed
              • Icon: Highest Highest
              • 9.12.0, 9.11.2, 9.4.14
              • 9.4.0, (22)
                9.5.0, 9.4.1, 9.6.0, 9.5.1, 9.4.2, 9.4.3, 9.7.0, 9.4.4, 9.8.0, 9.4.5, 9.9.0, 9.4.6, 9.4.7, 9.10.0, 9.4.8, 9.11.0, 9.4.9, 9.4.10, 9.11.1, 9.4.11, 9.10.2, 9.4.12
              • None
              • 9.8
              • Critical
              • CVE-2022-1471
              • Atlassian (Internal)
              • CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
              • RCE (Remote Code Execution)
              • Jira Core Data Center, Jira Core Server, Jira Software Data Center, Jira Software Server

                Summary of Vulnerability

                Multiple Atlassian Data Center and Server Products use the SnakeYAML library for Java, which is susceptible to a deserialization flaw that can lead to RCE (Remote Code Execution).

                 
                Atlassian Cloud sites are not affected by this vulnerability. If your site is accessed via an atlassian.net domain, it is hosted by Atlassian and is not vulnerable to this issue.

                Affected Versions

                Product Affected Versions
                Jira Core Data Center and Server
                Jira Software Data Center and Server
                • 9.4.0
                • 9.4.1
                • 9.4.2
                • 9.4.3
                • 9.4.4
                • 9.4.5
                • 9.4.6
                • 9.4.7
                • 9.4.8
                • 9.4.9
                • 9.4.10
                • 9.4.11
                • 9.4.12
                • 9.5.x
                • 9.6.x
                • 9.7.x
                • 9.8.x
                • 9.9.x
                • 9.10.x
                • 9.11.0
                • 9.11.1
                Automation for Jira (A4J) Marketplace App
                • 9.0.1
                • 9.0.0
                • <= 8.2.2

                Fixed Versions

                 

                Product Fixed Versions
                Jira Software Data Center and Server
                Jira Core Data Center and Server
                Patch to the following fixed versions or later
                9.11.2
                9.12.0
                9.4.14
                 
                Mitigation(s):
                If you are unable to upgrade your product instance to a fixed version, you can completely mitigate this vulnerability by upgrading your Automation for Jira (A4J) app to a fixed version via the Universal Plugin Manager (UPM).
                 
                See breaking changes in A4J 9.0+ for more info (also bundled with Jira 9.11+)
                Automation for Jira (A4J) Marketplace App Patch to the following fixed versions or later
                9.0.2
                8.2.4
                 
                Upgrade via the Universal Plugin Manager (UPM).
                 
                See breaking changes in A4J 9.0+ for more info.

                 

                For full descriptions of the above versions of Jira Data Center and Server, see the release notes. You can download the latest version of Jira Data Center and Server from the download center.

                 

                For additional details, please see the full advisory.

                Support

                Comments on this ticket are not monitored. If you have questions or concerns regarding this advisory, please raise a support request at https://support.atlassian.com/

                        Unassigned Unassigned
                        security-metrics-bot Security Metrics Bot
                        Votes:
                        0 Vote for this issue
                        Watchers:
                        29 Start watching this issue

                          Created:
                          Updated:
                          Resolved:

                            Unassigned Unassigned
                            security-metrics-bot Security Metrics Bot
                            Votes:
                            0 Vote for this issue
                            Watchers:
                            29 Start watching this issue

                              Created:
                              Updated:
                              Resolved: