QID 731035
Date Published: 2023-12-27
QID 731035: Atlassian Data Center and Server Remote Code Execution (RCE) Vulnerabilities (JSWSERVER-24756)
Multiple Atlassian Data Center and Server Products use the SnakeYAML library for Java, which is susceptible to a deserialization flaw that can lead to RCE (Remote Code Execution).
Affected Versions:
(Jira Core Data Center and Server) and (Jira Software Data Center and Server) versions 9.4.0,9.4.1,9.4.2,9.4.3,9.4.4,,9.4.5,9.4.6,9.4.7,9.4.8,9.4.9,9.4.10,9.4.11,9.4.12,9.5.x,9.6.x,9.7.x,9.8.x,9.9.x,9.10.x,9.11.0,9.11.1
Note: Detection is practice check because we cannot detect Universal Plugin Manager (UPM) and Automation for Jira (A4J) app at this point.
QID detection Logic: (Unauthenticated)
The QID sends a HTTP GET request to secure/Dashboard.jspa to check the vulnerable version of the products.
Successful exploitation of this vulnerability may lead to Remote Code Execution (RCE) Vulnerability, which may aid further attacks.
Workaround:
If you are unable to upgrade your product instance to a fixed version, you can completely mitigate this vulnerability by upgrading your Automation for Jira (A4J) app to a fixed version via the Universal Plugin Manager (UPM).
- JSWSERVER-24756 -
jira.atlassian.com/browse/JSWSERVER-24756
CVEs related to QID 731035
| Advisory ID | Software | Component | Link |
|---|---|---|---|
| JSWSERVER-24756 |
jira.atlassian.com/browse/JSWSERVER-24756 |