First published: Mon Aug 01 2022(Updated: )
This issue exists to document that a security improvement in the way that Jira Server and Data Center use templates has been implemented. Affected versions of Atlassian Jira Server and Data Center allowed remote attackers with system administrator permissions to execute arbitrary code via Template Injection leading to Remote Code Execution (RCE) in the Email Templates feature. In this case the security improvement was to protect against using the XStream library to be able to execute arbitrary code in velocity templates. The affected versions are before version 8.13.19, from version 8.14.0 before 8.20.7, and from version 8.21.0 before 8.22.1.
Credit: security@atlassian.com security@atlassian.com
Affected Software | Affected Version | How to fix |
---|---|---|
Atlassian Jira Data Center | <8.13.19 | |
Atlassian Jira Data Center | >=8.14.0<8.20.7 | |
Atlassian Jira Data Center | >=8.21.0<8.22.1 | |
Atlassian Jira Server | <8.13.19 | |
Atlassian Jira Server | >=8.14.0<8.20.7 | |
Atlassian Jira Server | >=8.21.0<8.22.1 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2022-36799 is a vulnerability in Atlassian Jira Server and Data Center that allowed remote attackers with system administrator permissions to execute arbitrary code via Template Injection.
CVE-2022-36799 has a severity rating of 7.2 (High).
Atlassian Jira Server versions up to 8.13.19 and versions between 8.14.0 and 8.20.7 are affected by CVE-2022-36799.
Atlassian Jira Data Center versions up to 8.13.19 and versions between 8.14.0 and 8.20.7 are affected by CVE-2022-36799.
To fix CVE-2022-36799, upgrade Atlassian Jira Server or Data Center to version 8.13.20, 8.20.8, or 8.22.2 or later.