There was a server-side template injection vulnerability in Jira Server and Data Center, in the ContactAdministrators and the SendBulkMail actions. An attacker is able to remotely execute code on systems that run a vulnerable version of Jira Server or Data Center. All versions of Jira Server and Data Center from 4.4.0 before 7.6.14, from 7.7.0 before 7.13.5, from 8.0.0 before 8.0.3, from 8.1.0 before 8.1.2, and from 8.2.0 before 8.2.3 are affected by this vulnerability.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HAtlassian Jira Server
APPAtlassian4.4 – 7.6.14 (bez)7.7.0 – 7.13.5 (bez)8.0.0 – 8.0.3 (bez)8.1.0 – 8.1.2 (bez)8.2.0 – 8.2.3 (bez)
CISA KEV — detailsi
- Vendori
- Atlassian ↗
- Producti
- Jira Server and Data Center
- Added to KEVi
- March 7, 2022
- Remediation deadline (US Federal)i
- September 7, 2022(overdue)
Apply updates per vendor instructions.
Atlassian Jira Server and Data Center contain a server-side template injection vulnerability which can allow for remote code execution.
Related vulnerabilities
A vulnerability in multiple Atlassian products allows a remote, unauthenticated attacker to bypass Servlet Fil...
A vulnerability in Jira Seraph allows a remote, unauthenticated attacker to bypass authentication by sending a...
This High severity Path Traversal (Arbitrary Write) vulnerability was introduced in versions: 9.12.0, 10.3.0 a...
This High severity PrivEsc (Privilege Escalation) vulnerability was introduced in versions: 9.12.0, 10.3.0, 1...
This High severity RCE (Remote Code Execution) vulnerability was introduced in version 5.2 of Confluence Data ...