Lucene search

AtlassianCVE-2021-39115

HistorySep 01, 2021 - 11:15 p.m.

CVE-2021-39115

2021-09-0123:15:07

CWE-94

CWE-96

atlassian

web.nvd.nist.gov

cve

2021

atlassian

jira

service management

server

data center

remote attack

java code

system commands

email template

vulnerability

nvd

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:S/C:C/I:C/A:C

CVSS3

7.2

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

AI Score

7.7

Confidence

High

EPSS

0.002

Percentile

62.1%

JSON

Affected versions of Atlassian Jira Service Management Server and Data Center allow remote attackers with “Jira Administrators” access to execute arbitrary Java code or run arbitrary system commands via a Server_Side Template Injection vulnerability in the Email Template feature. The affected versions are before version 4.13.9, and from version 4.14.0 before 4.18.0.

Affected configurations

Nvd

Node

atlassianjira_service_deskRange<4.13.9data_center

atlassianjira_service_deskRange<4.13.9server

atlassianjira_service_managementRange4.14.0–4.18.0data_center

atlassianjira_service_managementRange4.14.0–4.18.0server

VendorProductVersionCPE
atlassianjira_service_desk*cpe:2.3:a:atlassian:jira_service_desk:*:*:*:*:data_center:*:*:*
atlassianjira_service_desk*cpe:2.3:a:atlassian:jira_service_desk:*:*:*:*:server:*:*:*
atlassianjira_service_management*cpe:2.3:a:atlassian:jira_service_management:*:*:*:*:data_center:*:*:*
atlassianjira_service_management*cpe:2.3:a:atlassian:jira_service_management:*:*:*:*:server:*:*:*

Vendor	Product	Version	CPE
atlassian	jira_service_desk	*	cpe:2.3:a:atlassian:jira_service_desk:::::data_center:::*
atlassian	jira_service_desk	*	cpe:2.3:a:atlassian:jira_service_desk:::::server:::*
atlassian	jira_service_management	*	cpe:2.3:a:atlassian:jira_service_management:::::data_center:::*
atlassian	jira_service_management	*	cpe:2.3:a:atlassian:jira_service_management:::::server:::*

CNA Affected

[
  {
    "product": "Jira Service Desk Server",
    "vendor": "Atlassian",
    "versions": [
      {
        "lessThan": "4.13.9",
        "status": "affected",
        "version": "unspecified",
        "versionType": "custom"
      },
      {
        "lessThan": "unspecified",
        "status": "affected",
        "version": "4.14.0",
        "versionType": "custom"
      },
      {
        "lessThan": "4.18.0",
        "status": "affected",
        "version": "unspecified",
        "versionType": "custom"
      }
    ]
  },
  {
    "product": "Jira Service Desk Data Center",
    "vendor": "Atlassian",
    "versions": [
      {
        "lessThan": "4.13.9",
        "status": "affected",
        "version": "unspecified",
        "versionType": "custom"
      },
      {
        "lessThan": "unspecified",
        "status": "affected",
        "version": "4.14.0",
        "versionType": "custom"
      },
      {
        "lessThan": "4.18.0",
        "status": "affected",
        "version": "unspecified",
        "versionType": "custom"
      }
    ]
  }
]

References

jira.atlassian.com/browse/JSDSERVER-8665

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:S/C:C/I:C/A:C

CVSS3

7.2

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

AI Score

7.7

Confidence

High

EPSS

0.002

Percentile

62.1%

JSON

Related for CVE-2021-39115