QID 730277

Date Published: 2021-11-24

QID 730277: Atlassian Jira Server and Data Center Server Side Template Injection Vulnerability (JRASERVER-72804)

Jira is a proprietary issue tracking product, developed by Atlassian. It provides bug tracking, issue tracking, and project management functions.

CVE-2021-39128:Affected versions of Atlassian Jira Server or Data Center using the Jira Service Management addon allow remote attackers with JIRA Administrators access to execute arbitrary Java code via a server-side template injection vulnerability in the Email Template feature.

Affected version:
Atlassian Jira Server and Data Center version prior to 8.13.12
Atlassian Jira Server and Data Center from 8.14.0 to 8.19.0

QID Detection Logic:(Unauthenticated)
It checks for vulnerable version of Atlassian Jira.

Successful exploitation of this vulnerability allows an attacker to execute arbitrary code.

  • CVSS V3 rated as High - 7.2 severity.
  • CVSS V2 rated as High - 6.5 severity.
  • Solution
    Customers are advised to refer to JRASERVER-72804 for updates pertaining to this vulnerability.
    Vendor References

    CVEs related to QID 730277

    Software Advisories
    Advisory ID Software Component Link
    JRASERVER-72804 URL Logo jira.atlassian.com/browse/JRASERVER-72804