CVE-2021-39115

HIGH

Atlassian Jira Service Management Server/Data Center - Server-Side Template Injection

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2021-39115. PoCs published by PetrusViet.

AI-analyzed exploit summary This repository provides a detailed technical analysis of CVE-2021-39115, a template injection vulnerability in Jira Service Management Server. The author explains the root cause, patch analysis, and exploitation steps, including the use of `jirautils.loadComponent` and `SpelExpressionParser` for achieving RCE.

Description

Affected versions of Atlassian Jira Service Management Server and Data Center allow remote attackers with "Jira Administrators" access to execute arbitrary Java code or run arbitrary system commands via a Server_Side Template Injection vulnerability in the Email Template feature. The affected versions are before version 4.13.9, and from version 4.14.0 before 4.18.0.

Exploits (1)

nomisec WRITEUP 48 stars
by PetrusViet · poc
https://github.com/PetrusViet/CVE-2021-39115

This repository provides a detailed technical analysis of CVE-2021-39115, a template injection vulnerability in Jira Service Management Server. The author explains the root cause, patch analysis, and exploitation steps, including the use of `jirautils.loadComponent` and `SpelExpressionParser` for achieving RCE.

Classification
Writeup 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Atlassian Jira Service Management Server (versions up to 4.17.0)
Auth required
Prerequisites: Admin access to Jira Service Management Server
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (1)

Core 1
Core References
Third Party Advisory x_refsource_misc
https://jira.atlassian.com/browse/JSDSERVER-8665

Scores

CVSS v3 7.2
EPSS 0.0448
EPSS Percentile 90.3%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact total

Details

CWE
CWE-94 CWE-96
Status published
Products (2)
atlassian/jira_service_desk < 4.13.9 (2 CPE variants)
atlassian/jira_service_management 4.14.0 - 4.18.0 (2 CPE variants)
Published Sep 01, 2021
Tracked Since Feb 18, 2026