CVE-2022-36799

Name of the Vulnerable Software and Affected Versions Atlassian Jira Server and Data Center versions prior to 8.13.19 Atlassian Jira Server and Data Center versions 8.14.0 through 8.20.7 Atlassian Jira Server and Data Center versions 8.21.0 through 8.22.1

Description The issue is related to a security improvement in the way that Jira Server and Data Center use templates. Affected versions allowed remote attackers with system administrator permissions to execute arbitrary code via Template Injection leading to Remote Code Execution (RCE) in the Email Templates feature. The security improvement was to protect against using the XStream library to execute arbitrary code in velocity templates.

Recommendations For versions prior to 8.13.19, update to version 8.13.19 or later. For versions 8.14.0 through 8.20.7, update to version 8.20.7 or later. For versions 8.21.0 through 8.22.1, update to version 8.22.1 or later. As a temporary workaround, consider disabling the use of velocity templates in the Email Templates feature until a patch is available. Restrict access to the Email Templates feature to minimize the risk of exploitation.