Create
cancel
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
It's not the same without you

Join the community to find out what other Atlassian users are discussing, debating and creating.

Atlassian Community Hero Image Collage

Template Injection in Email Templates leads to RCE on Jira Service Management Server - CVE-2021-3912

Edited
Moses Thomas Community Leader Dec 30, 2021

Hello Atlassian,

I  have been looking  for the  description regarding CVE-2021-3912  from below link

Security Advisories | Atlassian   and i can't find it why don't we have the description here and possible W.A   only  a ticket and fix  without any proper description ?

[JRASERVER-72804] Template Injection in Email Templates leads to RCE on Jira Service Management Server - CVE-2021-39128

Please could you kindly update it in the Security Advisories Doc ?

 

Kind regards,

Moses

2 answers

1 vote
Daniel Eads Atlassian Team Jan 04, 2022

Hi Moses,

The Security Advisories page you linked lists advisories we have released for critical vulnerabilities, per our advisory publishing policy. CVE-2021-39128 has a CVSS score of 7.2, which is high severity rather than critical severity.

If you have Jira Service Management and wish to mitigate the vulnerability, you should upgrade to the fix versions listed (or ideally, the latest bugfix version in an LTS or supported current version).

Cheers,
Daniel | Atlassian Support

Moses Thomas Community Leader Jan 05, 2022

@Daniel Eads  Ok  thank you for your response. Atleast is it possible to explain how the CVE could be exploited, it possible that we are not able to upgrade at the moment and i could narrow down our set up to see whether or not we need to upgrade and this means that we also need to  upgrade JIRA  software too ? if the version is the same as the one  running JSM right ?

Kind regards,

Moses

  

0 votes

Hi! 

I tried to find exploit and or some wrap-ups, no luck. 

I would say easiest way is  just upgrade :)

Moses Thomas Community Leader Jan 03, 2022

@Gonchik Tsymzhitov  Yes but there should be some description as always maybe i  don't  need to upgrade from our set -up,  since our  instance is internally managed. I suspect it to be similar  to this one here   CVE-2019-11581 critical security vulnerability in Jira Server and Data Center (atlassian.com)

Suggest an answer

Log in or Sign up to answer
TAGS
Community showcase
Published in Jira Service Management

JSM Jira Automation: How to Send SLA Breached Notifications

Hi Everyone, In   this tutorial,  we will show you how you can monitor an SLA, and send notifications before or after the SLA has been breached.   SLA Threshold Trigger The SLA t...

762 views 5 13
Read article

Community Events

Connect with like-minded Atlassian users at free events near you!

Find an event

Connect with like-minded Atlassian users at free events near you!

Unfortunately there are no Community Events near you at the moment.

Host an event

You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events

Events near you