Atlassian Jira < 8.13.15 Template Injection
high Web App Scanning Plugin ID 113281
語系:
概要
Atlassian Jira < 8.13.15 Template Injection說明
According to its self-reported version number, the instance of Atlassian Jira hosted on the remote web server is prior to 8.13.15 or 8.14.x prior to 8.20.3. It is, therefore, affected by a vulnerability allowing remote attackers with administrator permissions to execute arbitrary code via Template Injection leading to Remote Code Execution (RCE) in the Email Templates feature.Note that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.
解決方案
升級至 Atlassian JIRA 8.13.15 或更新版本。另請參閱
Plugin 詳細資訊
嚴重性: High
ID: 113281
類型: remote
已發布: 2022/7/8
已更新: 2023/3/14
掃描範本: api, basic, full, pci, scan
風險資訊
VPR
風險因素: Medium
分數: 5.9
CVSS v2
風險因素: High
基本分數: 9
媒介: CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C
CVSS 評分資料來源: CVE-2021-43947
CVSS v3
風險因素: High
基本分數: 7.2
媒介: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CVSS 評分資料來源: CVE-2021-43944
弱點資訊
CPE: cpe:2.3:a:atlassian:jira:*:*:*:*:*:*:*:*
可輕鬆利用: No known exploits are available
修補程式發佈日期: 2021/11/30
弱點發布日期: 2022/3/8
參考資訊
CVE: CVE-2021-43944, CVE-2021-43947
CWE: 94
OWASP: 2010-A1, 2013-A1, 2013-A9, 2017-A1, 2017-A9, 2021-A3, 2021-A6
WASC: OS Commanding
DISA STIG: APSC-DV-002510, APSC-DV-002630
HIPAA: 164.306(a)(1), 164.306(a)(2)
ISO: 27001-A.14.2.5
NIST: sp800_53-CM-6b, sp800_53-SI-10
OWASP API: 2019-API7, 2019-API8, 2023-API8
OWASP ASVS: 4.0.2-14.2.1, 4.0.2-5.2.5