CVE-2017-18113

CWE-94Code Injection3 documents3 sources
Severity
8.8HIGH
EPSS
2.6%
top 14.45%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
Atlassian Jira Data CenterAtlassian Jira ServerAtlassian Data Center+1 more
Timeline
PublishedAug 2
Latest updateMay 24

Description

The DefaultOSWorkflowConfigurator class in Jira Server and Jira Data Center before version 8.18.1 allows remote attackers who can trick a system administrator to import their malicious workflow to execute arbitrary code via a Remote Code Execution (RCE) vulnerability. The vulnerability allowed for various problematic OSWorkflow classes to be used as part of workflows. The fix for this issue blocks usage of unsafe conditions, validators, functions and registers that are build-in into OSWorkflow l

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages4 packages

CVEListV5atlassian/jira_data_centerunspecified8.18.1
CVEListV5atlassian/jira_serverunspecified8.18.1
NVDatlassian/jira< 8.18.1
NVDatlassian/data_center< 8.18.1

🔴Vulnerability Details

2
GHSA
GHSA-7q5w-8wg2-xwr7: The DefaultOSWorkflowConfigurator class in Jira Server and Jira Data Center before version 82022-05-24
CVEList
CVE-2017-18113: The DefaultOSWorkflowConfigurator class in Jira Server and Jira Data Center before version 82021-08-02
CVE-2017-18113 (HIGH CVSS 8.8) | The DefaultOSWorkflowConfigurator c | cvebase.io