9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 High
AI Score
Confidence
High
0.008 Low
EPSS
Percentile
81.8%
h2. Summary of Vulnerability
Multiple Atlassian Data Center and Server Products use the SnakeYAML library for Java, which is susceptible to a deserialization flaw that can lead to RCE (Remote Code Execution).
(i) Atlassian Cloud sites are not affected by this vulnerability. If your site is accessed via an [atlassian.net|http://atlassian.net/] domain, it is hosted by Atlassian and is not vulnerable to this issue.
h2. Affected Versions
||Product||Affected Versions||
|Jira Core Data Center and Server
Jira Software Data Center and Server| * 9.4.0
||Product||Fixed Versions||
|Jira Software Data Center and Server
Jira Core Data Center and Server|Patch to the following fixed versions or later
9.11.2
9.12.0
9.4.14
Mitigation(s):
If you are unable to upgrade your product instance to a fixed version, you can completely mitigate this vulnerability by upgrading your Automation for Jira (A4J) app to a fixed version via the Universal Plugin Manager (UPM).
(!) See [breaking changes in A4J 9.0+|https://confluence.atlassian.com/jirasoftware/jira-software-9-12-x-upgrade-notes-1318887012.html#JiraSoftware9.12.xupgradenotes-Breakingchanges] for more info (also bundled with [Jira 9.11+|https://confluence.atlassian.com/jirasoftware/jira-software-9-11-x-release-notes-1272283668.html#JiraSoftware9.11.xreleasenotes-jira-allowlist])|
|Automation for Jira (A4J) Marketplace App|Patch to the following fixed versions or later
9.0.2
8.2.4
Upgrade via the Universal Plugin Manager (UPM).
(!) See [breaking changes in A4J 9.0+|https://confluence.atlassian.com/jirasoftware/jira-software-9-12-x-upgrade-notes-1318887012.html#JiraSoftware9.12.xupgradenotes-Breakingchanges] for more info.|
For full descriptions of the above versions of Jira Data Center and Server, see the [release notes|https://confluence.atlassian.com/jirasoftware/jira-software-release-notes-776821069.html]. You can download the latest version of Jira Data Center and Server from the [download center|https://www.atlassian.com/software/jira/download-archives].
For additional details, please see the [full advisory.|https://confluence.atlassian.com/pages/viewpage.action?pageId=1296171009]
h4. Support
Comments on this ticket are not monitored. If you have questions or concerns regarding this advisory, please raise a support request at [https://support.atlassian.com/].
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 High
AI Score
Confidence
High
0.008 Low
EPSS
Percentile
81.8%