CVE-2021-39115 — Static Code Injection in Atlassian Jira Service Desk Data Center

CWE-96 — Static Code Injection CWE-94 — Code Injection3 documents3 sources

Severity

7.2HIGHNVD

EPSS

25.7%

top 3.75%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Atlassian Jira Service Desk Data Center Atlassian Jira Service Desk Server Atlassian Jira Service Desk +1 more

Timeline

PublishedSep 1

Latest updateMay 24

Description

Affected versions of Atlassian Jira Service Management Server and Data Center allow remote attackers with "Jira Administrators" access to execute arbitrary Java code or run arbitrary system commands via a Server_Side Template Injection vulnerability in the Email Template feature. The affected versions are before version 4.13.9, and from version 4.14.0 before 4.18.0.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:HExploitability: 1.2 | Impact: 5.9

Affected Packages4 packages

▶CVEListV5atlassian/jira_service_desk_data_centerunspecified — 4.13.9+2

▶NVDatlassian/jira_service_management4.14.0 — 4.18.0

▶CVEListV5atlassian/jira_service_desk_serverunspecified — 4.13.9+2

▶NVDatlassian/jira_service_desk< 4.13.9

🔴Vulnerability Details

GHSA

GHSA-82p4-m5cc-j7c9: Affected versions of Atlassian Jira Service Management Server and Data Center allow remote attackers with "Jira Administrators" access to execute arbi↗2022-05-24

▶

CVEList

CVE-2021-39115: Affected versions of Atlassian Jira Service Management Server and Data Center allow remote attackers with "Jira Administrators" access to execute arbi↗2021-09-01

▶