Atlassian has patched its Jira Server and Data Center products against exploitable, high-severity bugs in the products’ email templates.
The bug was disclosed in this ticket, and has been assigned vulnerability number CVE-2022-36799.
The ticket explains that affected versions of Jira Server and Data Center “allowed remote attackers with system administrator permissions to execute arbitrary code via Template Injection leading to remote code execution (RCE) in the Email Templates feature.
“In this case the security improvement was to protect against using the XStream library to be able to execute arbitrary code in velocity templates.
“The affected versions are before version 8.13.19, from version 8.14.0 before 8.20.7, and from version 8.21.0 before 8.22.1.”
While exploitable only by a system administrator, Atlassian still gave the bug a Common Vulnerabilities Scoring System score of 7.8.
The fixed versions are Jira Server and Data Center 8.13.19, 8.20.7, 8.22.1, and 9.0.0.
Upgrade warning
In addition, after disclosing a hardcoded credential bug in its Confluence products last month, Atlassian upgraded its warning to uses, saying: “An external party has discovered and publicly disclosed the hardcoded password on Twitter.
"It is important to remediate this vulnerability on affected systems immediately.”
Publication of the hardcoded password led the US Cybersecurity and Infrastructure Security Agency (CISA) to add the vulnerability, CVE-2022-26138, to its Known Exploited Vulnerabilities Catalog.
