Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2017-18113

The DefaultOSWorkflowConfigurator class in Jira Server and Jira Data Center before version 8.18.1 allows remote attackers who can trick a system administrator to import their malicious workflow to execute arbitrary code via a Remote Code Execution (RCE) vulnerability. The vulnerability allowed for various problematic OSWorkflow classes to be used as part of workflows. The fix for this issue blocks usage of unsafe conditions, validators, functions and registers that are build-in into OSWorkflow library and other Jira dependencies. Atlassian-made functions or functions provided by 3rd party plugins are not affected by this fix.

Published

2021-08-02T03:15:07.110

Last Modified

2024-11-21T03:19:23.123

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 8.8 (HIGH)

CVSSv2 Vector

AV:N/AC:M/Au:N/C:P/I:P/A:P

Access Vector: NETWORK
Access Complexity: MEDIUM
Authentication: NONE
Confidentiality Impact: PARTIAL
Integrity Impact: PARTIAL
Availability Impact: PARTIAL

Exploitability Score

8.6

Impact Score

6.4

Weaknesses

Type: Secondary
CWE-94
Type: Primary
CWE-94
Type: Secondary
CWE-94

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	atlassian	data_center	< 8.18.1	Yes
Application	atlassian	jira	< 8.18.1	Yes

References

https://jira.atlassian.com/browse/JRASERVER-72660 Issue Tracking, Vendor Advisory ([email protected])
https://jira.atlassian.com/browse/JRASERVER-72660 Issue Tracking, Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)