#VU73938 Template injection in Jira Software and Jira Data Center - CVE-2022-36799

Cybersecurity Help s.r.o.

Published: 2023-03-22

Vulnerability identifier: #VU73938

Vulnerability risk: Low

CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2022-36799

CWE-ID: CWE-94

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Jira Software
Client/Desktop applications / Other client software
Jira Data Center
Server applications / Other server solutions

Vendor: Atlassian

Description

The vulnerability allows a remote user to execute arbitrary code on the target system.

The vulnerability exists due to improper input validation in the Email Templates feature. A remote authenticated administrator can inject arbitrary code into email template and execute it on the server.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Jira Software: 8.13.0 - 8.19.1, 8.20.0 - 8.22.0

Jira Data Center: 8.13.0 - 8.22.0

External links
https://jira.atlassian.com/browse/JRASERVER-73582

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Template injection in Atlassian Jira Server and Data Center