Jira Server for Slack Security Advisory 17th February 2021
Summary of Vulnerability
This advisory discloses a critical severity security vulnerability in Jira Server for Slack plugin. All versions of this plugin up to and including 2.0.14 are affected by this vulnerability. Jira Server and Data Center instances that don’t have this plugin installed are NOT affected by this vulnerability. By default, this plugin does not come installed in the Jira server and data center instances. However, if you do have this plugin installed in your server or data center instances, upgrade your installations to version 2.0.15 immediately to fix this vulnerability. Also, note that this does NOT affect any Jira cloud instances.
Remote Code Execution in Jira Server for Slack (CVE-2021-26068)
Atlassian rates the severity level of this vulnerability as critical, according to the scale published in our Atlassian severity levels. The scale allows us to rank the severity as critical, high, moderate, or low.
This is our assessment, and you should evaluate its applicability to your own IT environment.
There is a remote code execution vulnerability affecting the Jira Server for Slack plugin that can be potentially exploited by any authenticated Jira user by sending malicious payloads to the affected endpoint. In a successful exploitation of this vulnerability, an attacker could potentially execute arbitrary code on the system.
This vulnerability affects all versions up to and including 2.0.14.
Thanks to Muhamad Visat for finding and reporting this vulnerability.
We have taken the following steps to address this issue:
Released version 2.0.15 that contains a fix for this issue.
What You Need to Do
Check whether your Jira server/DC instance has the vulnerable plugin installed or not. To do this, go to your applications and search for “Jira Server for Slack” plugin. If it is installed, check the version. If the version is less than 2.0.15, then the instance is vulnerable.
Upgrade to the latest version. Details on how to update apps can be found here.
For a full description of the latest version of Jira Server for Slack, see the release notes - https://marketplace.atlassian.com/apps/1220099/jira-server-for-slack-official/version-history. You can download the latest version of the plugin from the Atlassian Marketplace.
If you did not receive an email for this advisory and you wish to receive such emails in the future go to https://my.atlassian.com/email and subscribe to Alerts emails.
If you have questions or concerns regarding this advisory, please raise a support request at https://support.atlassian.com/.