This issue exists to document that a security improvement in the way that Jira Server and Data Center use velocity templates has been implemented. The way in which velocity templates were used in Atlassian Jira Server and Data Center in affected versions allowed remote attackers to achieve remote code execution via insecure deserialization, if they were able to exploit a server side template injection vulnerability. The affected versions are before version 7.13.0, from version 8.0.0 before 8.5.0, and from version 8.6.0 before version 8.8.1.
Weakness
The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Jira | Atlassian | * | 7.13.0 (excluding) |
| Jira | Atlassian | 8.0.0 (including) | 8.5.0 (excluding) |
| Jira | Atlassian | 8.6.0 (including) | 8.8.1 (excluding) |
| Jira_software_data_center | Atlassian | * | 7.13.0 (excluding) |
| Jira_software_data_center | Atlassian | 8.0.0 (including) | 8.5.0 (excluding) |
| Jira_software_data_center | Atlassian | 8.6.0 (including) | 8.8.1 (excluding) |
Potential Mitigations
- Make fields transient to protect them from deserialization.
- An attempt to serialize and then deserialize a class containing transient fields will result in NULLs where the transient data should be. This is an excellent way to prevent time, environment-based, or sensitive variables from being carried over and used improperly.