Uploaded image for project: 'Jira Software Data Center'
  1. Jira Software Data Center
  2. JSWSERVER-24756

RCE (Remote Code Execution) in - CVE-2022-1471

XMLWordPrintable

    • Icon: Public Security Vulnerability Public Security Vulnerability
    • Resolution: Fixed
    • Icon: Highest Highest
    • 9.12.0, 9.11.2, 9.4.14
    • 9.4.0, 9.5.0, 9.4.1, 9.6.0, 9.5.1, 9.4.2, 9.4.3, 9.7.0, 9.4.4, 9.8.0, 9.4.5, 9.9.0, 9.4.6, 9.4.7, 9.10.0, 9.4.8, 9.11.0, 9.4.9, 9.4.10, 9.11.1, 9.4.11, 9.10.2, 9.4.12
    • None
    • 9.8
    • Critical
    • CVE-2022-1471
    • Atlassian (Internal)
    • CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    • RCE (Remote Code Execution)
    • Jira Core Data Center, Jira Core Server, Jira Software Data Center, Jira Software Server

      Summary of Vulnerability

      Multiple Atlassian Data Center and Server Products use the SnakeYAML library for Java, which is susceptible to a deserialization flaw that can lead to RCE (Remote Code Execution).

       
      Atlassian Cloud sites are not affected by this vulnerability. If your site is accessed via an atlassian.net domain, it is hosted by Atlassian and is not vulnerable to this issue.

      Affected Versions

      Product Affected Versions
      Jira Core Data Center and Server
      Jira Software Data Center and Server
      • 9.4.0
      • 9.4.1
      • 9.4.2
      • 9.4.3
      • 9.4.4
      • 9.4.5
      • 9.4.6
      • 9.4.7
      • 9.4.8
      • 9.4.9
      • 9.4.10
      • 9.4.11
      • 9.4.12
      • 9.5.x
      • 9.6.x
      • 9.7.x
      • 9.8.x
      • 9.9.x
      • 9.10.x
      • 9.11.0
      • 9.11.1
      Automation for Jira (A4J) Marketplace App
      • 9.0.1
      • 9.0.0
      • <= 8.2.2

      Fixed Versions

       

      Product Fixed Versions
      Jira Software Data Center and Server
      Jira Core Data Center and Server
      Patch to the following fixed versions or later
      9.11.2
      9.12.0
      9.4.14
       
      Mitigation(s):
      If you are unable to upgrade your product instance to a fixed version, you can completely mitigate this vulnerability by upgrading your Automation for Jira (A4J) app to a fixed version via the Universal Plugin Manager (UPM).
       
      See breaking changes in A4J 9.0+ for more info (also bundled with Jira 9.11+)
      Automation for Jira (A4J) Marketplace App Patch to the following fixed versions or later
      9.0.2
      8.2.4
       
      Upgrade via the Universal Plugin Manager (UPM).
       
      See breaking changes in A4J 9.0+ for more info.

       

      For full descriptions of the above versions of Jira Data Center and Server, see the release notes. You can download the latest version of Jira Data Center and Server from the download center.

       

      For additional details, please see the full advisory.

      Support

      Comments on this ticket are not monitored. If you have questions or concerns regarding this advisory, please raise a support request at https://support.atlassian.com/

              Unassigned Unassigned
              security-metrics-bot Security Metrics Bot
              Votes:
              0 Vote for this issue
              Watchers:
              29 Start watching this issue

                Created:
                Updated:
                Resolved: