CVE-2022-36799
moderate-risk
Published 2022-08-01
This issue exists to document that a security improvement in the way that Jira Server and Data Center use templates has been implemented. Affected versions of Atlassian Jira Server and Data Center allowed remote attackers with system administrator permissions to execute arbitrary code via Template Injection leading to Remote Code Execution (RCE) in the Email Templates feature. In this case the security improvement was to protect against using the XStream library to be able to execute arbitrary code in velocity templates. The affected versions are before version 8.13.19, from version 8.14.0 before 8.20.7, and from version 8.21.0 before 8.22.1.
Do I need to act?
~
3.6% chance of exploitation in next 30 days
EPSS score — moderate exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
7
CVSS 7.2/10
High
NETWORK
/ LOW complexity
Affected Products (2)
Affected Vendors
References (2)
Issue Tracking
https://jira.atlassian.com/browse/JRASERVER-73582
Issue Tracking
https://jira.atlassian.com/browse/JRASERVER-73582
40
/ 100
moderate-risk
Severity
26/34 · High
Exploitability
7/34 · Low
Exposure
7/34 · Low