- 171/2022
- High
Atlassian Jira Server and Data Center could allow the remote authenticated attacker to execute arbitrary code on the system.
The remote attacker could exploit the addressed vulnerability by using a specially crafted velocity template to execute arbitrary code on the system via template injection, leading to Remote Code Execution (RCE) in the email templates feature.
Affected Versions by This Vulnerability:
- Jira Server:
- Versions prior to 8.13.19 & Versions 8.14.0 and later
- Versions prior to 8.20.7 & Versions 8.21.0 and later
- Versions prior to 8.22.1
- Jira Data Center:
- Versions prior to 8.13.19 & Versions 8.14.0 and later
- Versions prior to 8.20.7 & Version 8.21.0 and later
- Versions prior to 8.22.1
The Addressed Vulnerability:
Atlassian Jira Data Center and Server code execution (CVE-2022-36799)
- CVSS: 7.2
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: High
- User Interaction: None
- Consequences: Gain Access
- Remediation Level: Official Fix
Vulnerabilities
CVE-2022-36799
Mitigations
The enterprise should deploy this patch as soon as the testing phase is completed.
https://jira.atlassian.com/browse/JRASERVER-73582