CVE-2021-39128

HIGH

Atlassian Jira Server/Data Center - RCE

Title source: llm

Description

Affected versions of Atlassian Jira Server or Data Center using the Jira Service Management addon allow remote attackers with JIRA Administrators access to execute arbitrary Java code via a server-side template injection vulnerability in the Email Template feature. The affected versions of Jira Server or Data Center are before version 8.13.12, and from version 8.14.0 before 8.19.1.

References (1)

[Issue Tracking, Vendor Advisory] https://jira.atlassian.com/browse/JRASERVER-72804

Scores

CVSS v3 7.2

EPSS 0.0083

EPSS Percentile 74.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-1336 CWE-94

Status published

Products (2)

atlassian/jira_data_center < 8.13.12

atlassian/jira_server < 8.13.12

Published Sep 16, 2021

Tracked Since Feb 18, 2026