CVE-2021-39115

HIGH

Atlassian Jira Service Management Server/Data Center - Server-Side Template Injection

Title source: llm

Description

Affected versions of Atlassian Jira Service Management Server and Data Center allow remote attackers with "Jira Administrators" access to execute arbitrary Java code or run arbitrary system commands via a Server_Side Template Injection vulnerability in the Email Template feature. The affected versions are before version 4.13.9, and from version 4.14.0 before 4.18.0.

Exploits (1)

nomisec WRITEUP 48 stars

by PetrusViet · poc

https://github.com/PetrusViet/CVE-2021-39115

View Code ZIP pw:eip

References (1)

Core 1

Core References

Third Party Advisory x_refsource_misc

https://jira.atlassian.com/browse/JSDSERVER-8665

Scores

CVSS v3 7.2

EPSS 0.2574

EPSS Percentile 96.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-94 CWE-96

Status published

Products (2)

atlassian/jira_service_desk < 4.13.9 (2 CPE variants)

atlassian/jira_service_management 4.14.0 - 4.18.0 (2 CPE variants)

Published Sep 01, 2021

Tracked Since Feb 18, 2026