is the severity based on the assumption that the service is accessible over the internet?
Hi @Sasi Venugopal , welcome to the Community!
For this particular vulnerability, the severity is not based on an assumption of network access. Due to the way the unicode bidirectional characters are handled in various systems, including Jira before the patch, it would be possible for someone to trick a user into copying malicious code into a system.
Consider this scenario:
In this short example, hidden characters could be included in the source even though Jira is behind a firewall. The fix changes the way Jira renders these characters so that they become visible.
Does this help answer your question?
Thanks,
Daniel | Atlassian Community
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.