Server-Side Template Injection in Atlassian Jira Service Management Server and Data Center
CVE-2021-39115

7.2HIGH

Key Information:

Vendor: Atlassian
Status: Jira Service Desk Server; Jira Service Desk Data Center
Vendor: CVE Published:; 1 September 2021

Badges

👾 Exploit Exists🟡 Public PoC

Summary

The server-side template injection vulnerability in Atlassian Jira Service Management Server and Data Center enables remote attackers with Jira Administrators access to execute arbitrary Java code or run arbitrary system commands through the Email Template feature. This flaw affects versions prior to 4.13.9 and those between 4.14.0 and 4.18.0, exposing the application to potential security breaches.

Affected Version(s)

Jira Service Desk Data Center < 4.13.9

Jira Service Desk Data Center 4.14.0

Jira Service Desk Data Center < 4.18.0

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2021-39115
Created by PetrusViet

References

https://jira.atlassian.com/browse/JSDSERVER-8665

x_refsource_MISC

CVSS V3.1

Score:

7.2

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Timeline

🟡
Public PoC available
Sep 7, 2021
👾
Exploit known to exist
Sep 7, 2021
Vulnerability published
Sep 1, 2021
Vulnerability Reserved
Aug 16, 2021