CVE-2021-39115

7.2HIGH

Key Information:

Vendor: Atlassian
Status: Jira Service Desk Server; Jira Service Desk Data Center
Vendor: CVE Published:; 1 September 2021

Badges

👾 Exploit Exists🟡 Public PoC

Summary

Affected versions of Atlassian Jira Service Management Server and Data Center allow remote attackers with "Jira Administrators" access to execute arbitrary Java code or run arbitrary system commands via a Server_Side Template Injection vulnerability in the Email Template feature. The affected versions are before version 4.13.9, and from version 4.14.0 before 4.18.0.

Affected Version(s)

Jira Service Desk Data Center < 4.13.9

Jira Service Desk Data Center 4.14.0

Jira Service Desk Data Center < 4.18.0

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2021-39115
Created by PetrusViet

References

https://jira.atlassian.com/browse/JSDSERVER-8665

x_refsource_MISC

CVSS V3.1

Score:

7.2

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Timeline

🟡
Public PoC available
Sep 7, 2021
👾
Exploit known to exist
Sep 7, 2021
Vulnerability published
Sep 1, 2021
Vulnerability Reserved
Aug 16, 2021