Forums
Home Product Q&A Discussion groups Articles Ask a question Search
Learning
Events
Champions

Forums

Articles
Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Product Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Template Injection in Email Templates leads to RCE on Jira Service Management Server - CVE-2021-3912

Moses Thomas
Moses Thomas
Community Champion
December 30, 2021

Hello Atlassian,

I  have been looking  for the  description regarding CVE-2021-3912  from below link

Security Advisories | Atlassian   and i can't find it why don't we have the description here and possible W.A   only  a ticket and fix  without any proper description ?

[JRASERVER-72804] Template Injection in Email Templates leads to RCE on Jira Service Management Server - CVE-2021-39128

Please could you kindly update it in the Security Advisories Doc ?

 

Kind regards,

Moses

Answer
Watch
Like Be the first to like this
752 views

2 answers

1 vote
Daniel Eads
Daniel Eads
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
January 4, 2022

Hi Moses,

The Security Advisories page you linked lists advisories we have released for critical vulnerabilities, per our advisory publishing policy. CVE-2021-39128 has a CVSS score of 7.2, which is high severity rather than critical severity.

If you have Jira Service Management and wish to mitigate the vulnerability, you should upgrade to the fix versions listed (or ideally, the latest bugfix version in an LTS or supported current version).

Cheers,
Daniel | Atlassian Support

View More Comments
Moses Thomas
Moses Thomas
Community Champion
January 5, 2022

@Daniel Eads  Ok  thank you for your response. Atleast is it possible to explain how the CVE could be exploited, it possible that we are not able to upgrade at the moment and i could narrow down our set up to see whether or not we need to upgrade and this means that we also need to  upgrade JIRA  software too ? if the version is the same as the one  running JSM right ?

Kind regards,

Moses

  

Like
Reply
0 votes
Gonchik Tsymzhitov
Gonchik Tsymzhitov
Community Champion
January 1, 2022

Hi! 

I tried to find exploit and or some wrap-ups, no luck. 

I would say easiest way is  just upgrade :)

View More Comments
Moses Thomas
Moses Thomas
Community Champion
January 3, 2022

@Gonchik Tsymzhitov  Yes but there should be some description as always maybe i  don't  need to upgrade from our set -up,  since our  instance is internally managed. I suspect it to be similar  to this one here   CVE-2019-11581 critical security vulnerability in Jira Server and Data Center (atlassian.com)

Like
Reply

Suggest an answer

Log in or Sign up to answer
Jira Service Desk
Jira Service Management
TAGS
AUG Leaders

Atlassian Community Events

    See all events
    Community
    Forums
    FAQs Forums guidelines
    Learning
    About learning Resources
    Events
    Champions
    Copyright © 2025 Atlassian
    Privacy Policy Terms Security
    Welcome illustration

    Welcome to the new Atlassian Community

    Online forums and learning are now in one easy-to-use experience.

    By continuing, you accept the updated Community Terms of Use and acknowledge the Privacy Policy. Your public name, photo, and achievements may be publicly visible and available in search engines.