There was a server-side template injection vulnerability in Jira Server and Data Center, in the ContactAdministrators and the SendBulkMail actions. An attacker is able to remotely execute code on systems that run a vulnerable version of Jira Server or Data Center. All versions of Jira Server and Data Center from 4.4.0 before 7.6.14, from 7.7.0 before 7.13.5, from 8.0.0 before 8.0.3, from 8.1.0 before 8.1.2, and from 8.2.0 before 8.2.3 are affected by this vulnerability.
Weakness
The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Jira_server | Atlassian | 4.4 (including) | 7.6.14 (excluding) |
| Jira_server | Atlassian | 7.7.0 (including) | 7.13.5 (excluding) |
| Jira_server | Atlassian | 8.0.0 (including) | 8.0.3 (excluding) |
| Jira_server | Atlassian | 8.1.0 (including) | 8.1.2 (excluding) |
| Jira_server | Atlassian | 8.2.0 (including) | 8.2.3 (excluding) |
Potential Mitigations
Related Attack Patterns
- https://cwe.mitre.org/data/definitions/10.html
- https://cwe.mitre.org/data/definitions/101.html
- https://cwe.mitre.org/data/definitions/105.html
- https://cwe.mitre.org/data/definitions/108.html
- https://cwe.mitre.org/data/definitions/120.html
- https://cwe.mitre.org/data/definitions/13.html
- https://cwe.mitre.org/data/definitions/135.html
- https://cwe.mitre.org/data/definitions/14.html
- https://cwe.mitre.org/data/definitions/24.html
- https://cwe.mitre.org/data/definitions/250.html
- https://cwe.mitre.org/data/definitions/267.html
- https://cwe.mitre.org/data/definitions/273.html
- https://cwe.mitre.org/data/definitions/28.html
- https://cwe.mitre.org/data/definitions/3.html
- https://cwe.mitre.org/data/definitions/34.html
- https://cwe.mitre.org/data/definitions/42.html
- https://cwe.mitre.org/data/definitions/43.html
- https://cwe.mitre.org/data/definitions/45.html
- https://cwe.mitre.org/data/definitions/46.html
- https://cwe.mitre.org/data/definitions/47.html
- https://cwe.mitre.org/data/definitions/51.html
- https://cwe.mitre.org/data/definitions/52.html
- https://cwe.mitre.org/data/definitions/53.html
- https://cwe.mitre.org/data/definitions/6.html
- https://cwe.mitre.org/data/definitions/64.html
- https://cwe.mitre.org/data/definitions/67.html
- https://cwe.mitre.org/data/definitions/7.html
- https://cwe.mitre.org/data/definitions/71.html
- https://cwe.mitre.org/data/definitions/72.html
- https://cwe.mitre.org/data/definitions/76.html
- https://cwe.mitre.org/data/definitions/78.html
- https://cwe.mitre.org/data/definitions/79.html
- https://cwe.mitre.org/data/definitions/8.html
- https://cwe.mitre.org/data/definitions/80.html
- https://cwe.mitre.org/data/definitions/83.html
- https://cwe.mitre.org/data/definitions/84.html
- https://cwe.mitre.org/data/definitions/9.html