Ce mail provient de l'extérieur, restons vigilants ===================================================================== CERT-Renater Note d'Information No. 2025/VULN881 _____________________________________________________________________ DATE : 18/12/2025 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Jira Service Management Data Center, Jira Service Management Server versions prior to 10.3.15, 11.1.0, 11.2.0, 11.3.0. ===================================================================== https://jira.atlassian.com/browse/JSDSERVER-16477 https://jira.atlassian.com/browse/JSDSERVER-16470 https://jira.atlassian.com/browse/JSDSERVER-16478 https://jira.atlassian.com/browse/JSDSERVER-16456 https://jira.atlassian.com/browse/JSDSERVER-16461 https://jira.atlassian.com/browse/JSDSERVER-16462 https://jira.atlassian.com/browse/JSDSERVER-16458 https://jira.atlassian.com/browse/JSDSERVER-16466 https://jira.atlassian.com/browse/JSDSERVER-16469 https://jira.atlassian.com/browse/JSDSERVER-16480 https://jira.atlassian.com/browse/JSDSERVER-16479 _____________________________________________________________________ XXE (XML External Entity Injection) Tika Dependency in Jira Service Management Data Center and Server Published Export Type: Public Security Vulnerability Resolution: Fixed Priority: High Fix Version/s: 10.3.15, 11.2.0, 11.3.0 Affects Version/s: 10.3.0, 10.3.1, 10.3.2, 10.3.3, 10.3.4, 10.3.5, 10.3.6, 10.3.7, 10.3.8, 10.3.9, 10.3.10, 10.3.11, 10.3.12, 10.3.13, 10.3.14, 11.0.0, 11.1.0, 11.0.1, 11.1.1 Component/s: None Labels: advisory advisory-to-release dont-import security CVSS Score: 10 CVSS Severity: Critical CVE ID: CVE-2025-66516 Vulnerability Source: Atlassian (Internal) CVSSv3 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H Vulnerability Classes: XXE (XML External Entity Injection) Affected Product(s): Jira Service Management Data Center, Jira Service Management Server This Jira Service Management release includes updates to our Apache Tika dependency in response to CVE-2025-66516. Our security team has assessed that the current scope of this CVE does not present the same critical risk in our products, as our use of the dependency doesn’t support the known path for exploitation. The patch for CVE-2025-66516 is being released out of an abundance of caution. This Critical severity XXE (XML External Entity Injection) vulnerability known as CVE-2025-66516 was introduced in 10.3.0, 11.0.0, and 11.1.0 of Jira Service Management Data Center and Server. This vulnerability with a CVSS Score of 10 and a CVSS Vector of CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H allows an unauthenticated attacker to take actions which have high impact to confidentiality, high impact to integrity, high impact to availability, and requires no user interaction. Atlassian recommends that Jira Service Management Data Center and Server customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions: Jira Service Management Data Center and Server 10.3: Upgrade to a release greater than or equal to 10.3.15 Jira Service Management Data Center and Server 11.2: Upgrade to a release greater than or equal to 11.2.1 See the release notes. You can download the latest version of Jira Service Management Data Center and Server from the download center. The National Vulnerability Database provides the following description for this vulnerability: Critical XXE in Apache Tika tika-core (1.13-3.2.1), tika-pdf-module (2.0.0-3.2.1) and tika-parsers (1.13-1.28.5) modules on all platforms allows an attacker to carry out XML External Entity injection via a crafted XFA file inside of a PDF. This CVE covers the same vulnerability as in CVE-2025-54988. However, this CVE expands the scope of affected packages in two ways. First, while the entrypoint for the vulnerability was the tika-parser-pdf-module as reported in CVE-2025-54988, the vulnerability and its fix were in tika-core. Users who upgraded the tika-parser-pdf-module but did not upgrade tika-core to >= 3.2.2 would still be vulnerable. Second, the original report failed to mention that in the 1.x Tika releases, the PDFParser was in the "org.apache.tika:tika-parsers" module. _____________________________________________________________________ Prototype Pollution zrender Dependency in Jira Service Management Data Center and Server Published Export Type: Public Security Vulnerability Resolution: Fixed Priority: High Fix Version/s: 10.3.14, 11.3.0 Affects Version/s: 10.3.0, 10.3.1, 10.3.2, 10.3.3, 10.3.4, 10.3.5, 10.3.6, 10.3.7, 10.3.8, 10.3.9, 10.3.10, 10.3.11, 10.3.12, 10.3.13, 11.0.0, 11.1.0, 11.0.1, 11.0.2, 11.1.1, 11.1.2, 11.2.0 Component/s: None Labels: advisory advisory-to-release dont-import security CVSS Score: 9.8 CVSS Severity: Critical CVE ID: CVE-2021-39227 Vulnerability Source: Atlassian (Internal) CVSSv3 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Vulnerability Classes: Prototype Pollution Affected Product(s): Jira Service Management Data Center, Jira Service Management Server This is a vulnerability in a non-Atlassian Jira Service Management dependency. Atlassian's application of this dependency presents a lower, non-critical assessed risk. This Critical severity Prototype Pollution vulnerability known as CVE-2022-39227 was introduced in 10.3.0, and 11.0.0 of Jira Service Management Data Center and Server. This vulnerability with a CVSS Score of 9.8 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H allows an unauthenticated attacker to take actions which have a high impact to confidentiality, high impact to integrity, high impact to availability, and requires no user interaction. Atlassian recommends that Jira Service Management Data Center and Server customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions: Jira Service Management Data Center and Server 10.3: Upgrade to a release greater than or equal to 10.3.14 Jira Service Management Data Center and Server 11.3: Upgrade to a release greater than or equal to 11.3.0 See the release notes. You can download the latest version of Jira Service Management Data Center and Server from the download center. The National Vulnerability Database provides the following description for this vulnerability: ZRender is a lightweight graphic library providing 2d draw for Apache ECharts. In versions prior to 5.2.1, using `merge` and `clone` helper methods in the `src/core/util.ts` module results in prototype pollution. It affects the popular data visualization library Apache ECharts, which uses and exports these two methods directly. The GitHub Security Advisory page for this vulnerability contains a proof of concept. This issue is patched in ZRender version 5.2.1. One workaround is available: Check if there is `{}proto{}` in the object keys. Omit it before using it as an parameter in these affected methods. Or in `echarts.util.merge` and `setOption` if project is using ECharts. _____________________________________________________________________ XXE (XML External Entity Injection) in Jira Service Management Data Center and Server Published Export Type: Public Security Vulnerability Resolution: Fixed Priority: High Fix Version/s: 10.3.13, 11.2.0 Affects Version/s: 10.3.0, 10.3.1, 10.3.2, 10.3.3, 10.3.4, 10.3.5, 10.3.6, 10.3.7, 10.3.8, 10.3.9, 10.3.10, 10.3.11, 10.3.12, 11.0.1, 11.1.1 Component/s: None Labels: advisory advisory-to-release dont-import security CVSS Score: 8.4 CVSS Severity: High CVE ID: CVE-2025-54988 Vulnerability Source: Atlassian (Internal) CVSSv3 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Vulnerability Classes: XXE (XML External Entity Injection) Affected Product(s): Jira Service Management Data Center, Jira Service Management Server This High severity XXE (XML External Entity Injection) vulnerability was introduced in versions 10.3.0, 11.0.0, and 11.1.0 of Jira Service Management Data Center and Server. This XXE (XML External Entity Injection) vulnerability, with a CVSS Score of 8.4 and a CVSS Vector of CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H allows an unauthenticated attacker to access local and remote content which has high impact to confidentiality, high impact to integrity, high impact to availability, and requires no user interaction. Atlassian recommends that Jira Service Management Data Center and Server customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions: Jira Service Management Data Center and Server 10.3: Upgrade to a release greater than or equal to 10.3.13 Jira Service Management Data Center and Server 11.2: Upgrade to a release greater than or equal to 11.2.0 See the release notes. You can download the latest version of Jira Service Management Data Center and Server from the download center. The National Vulnerability Database provides the following description for this vulnerability: Critical XXE in Apache Tika (tika-parser-pdf-module) in Apache Tika 1.13 through and including 3.2.1 on all platforms allows an attacker to carry out XML External Entity injection via a crafted XFA file inside of a PDF. An attacker may be able to read sensitive data or trigger malicious requests to internal resources or third-party servers. Note that the tika-parser-pdf-module is used as a dependency in several Tika packages including at least: tika-parsers-standard-modules, tika-parsers-standard-package, tika-app, tika-grpc and tika-server-standard. Users are recommended to upgrade to version 3.2.2, which fixes this issue. _____________________________________________________________________ DoS (Denial of Service) io.netty:netty-codec-http2 Dependency in Jira Service Management Data Center and Server Published Export Type: Public Security Vulnerability Resolution: Fixed Priority: High Fix Version/s: 10.3.12, 11.1.0 Affects Version/s: 10.3.0, 10.3.1, 10.3.2, 10.3.3, 10.3.4, 10.3.5, 10.3.6, 10.3.7, 10.3.8, 10.3.9, 10.3.10, 10.3.11, 10.3.12, 11.0.0, 11.0.1 Component/s: None Labels: advisory advisory-to-release dont-import security CVSS Score: 8.2 CVSS Severity: High CVE ID: CVE-2025-55163 Vulnerability Source: Atlassian (Internal) CVSSv3 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Vulnerability Classes: DoS (Denial of Service) Affected Product(s): Jira Service Management Data Center, Jira Service Management Server This High severity DoS (Denial of Service) vulnerability known as CVE-2025-55163 was introduced in 10.3.0, and 11.0.0 of Jira Service Management Data Center and Server. This vulnerability with a CVSS Score of 8.2 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H allows an unauthenticated attacker to expose assets in your environment susceptible to exploitation which has no impact to confidentiality, no impact to integrity, high impact to availability, and requires no user interaction. Atlassian recommends that Jira Service Management Data Center and Server customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions: Jira Service Management Data Center and Server 10.3: Upgrade to a release greater than or equal to 10.3.12 Jira Service Management Data Center and Server 11.0: Upgrade to a release greater than or equal to 11.1.0 See the release notes. You can download the latest version of Jira Service Management Data Center and Server from the download center. The National Vulnerability Database provides the following description for this vulnerability: Netty is an asynchronous, event-driven network application framework. Prior to versions 4.1.124.Final and 4.2.4.Final, Netty is vulnerable to MadeYouReset DDoS. This is a logical vulnerability in the HTTP/2 protocol, that uses malformed HTTP/2 control frames in order to break the max concurrent streams limit - which results in resource exhaustion and distributed denial of service. This issue has been patched in versions 4.1.124.Final and 4.2.4.Final. _____________________________________________________________________ DoS (Denial of Server) org.apache.struts:struts-core Dependency in Jira Service Management Data Center and Server Published Export Type: Public Security Vulnerability Resolution: Fixed Priority: High Fix Version/s: 11.2.1 Affects Version/s: 11.2.0 Component/s: None Labels: advisory advisory-to-release dont-import security CVSS Score: 8.2 CVSS Severity: High CVE ID: CVE-2016-1182 Vulnerability Source: Atlassian (Internal) CVSSv3 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H Vulnerability Classes: DoS (Denial of Service) Affected Product(s): Jira Service Management Data Center, Jira Service Management Server This High severity DoS (Denial of Service) vulnerability known as CVE-2016-1182 was introduced in 11.2.0 of Jira Service Management Data Center and Server. This vulnerability with a CVSS Score of 8.2 and a CVSS Vector of CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H allows an unauthenticated attacker to take actions which have no impact to confidentiality, low impact to integrity, high impact to availability, and requires no user interaction. Atlassian recommends that Jira Service Management Data Center and Server customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions: Jira Service Management Data Center and Server 11.2: Upgrade to a release greater than or equal to 11.2.1 See the release notes. You can download the latest version of Jira Service Management Data Center and Server from the download center. The National Vulnerability Database provides the following description for this vulnerability: ActionServlet.java in Apache Struts 1 1.x through 1.3.10 does not properly restrict the Validator configuration, which allows remote attackers to conduct cross-site scripting (XSS) attacks or cause a denial of service via crafted input, a related issue to CVE-2015-0899. _____________________________________________________________________ RCE (Remote Code Execution) in Jira Service Management Data Center and Server Published Export Type: Public Security Vulnerability Resolution: Fixed Priority: High Fix Version/s: 11.2.1, 11.3.0 Affects Version/s: 11.2.0 Component/s: None Labels: advisory advisory-to-release dont-import security CVSS Score: 8.1 CVSS Severity: High CVE ID: CVE-2016-1181 Vulnerability Source: Atlassian (Internal) CVSSv3 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Vulnerability Classes: RCE (Remote Code Execution) Affected Product(s): Jira Service Management Data Center, Jira Service Management Server This High severity RCE (Remote Code Execution) vulnerability was introduced in version 11.2.0 of Jira Service Management Data Center and Server. This RCE (Remote Code Execution) vulnerability, with a CVSS Score of 8.1 and a CVSS Vector of CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H allows an unauthenticated attacker to execute arbitrary code which has high impact to confidentiality, high impact to integrity, high impact to availability, and requires no user interaction. Atlassian recommends that Jira Service Management Data Center and Server customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions: Jira Service Management Data Center and Server 11.2: Upgrade to a release greater than or equal to 11.2.1 See the release notes. You can download the latest version of Jira Service Management Data Center and Server from the download center. The National Vulnerability Database provides the following description for this vulnerability: ActionServlet.java in Apache Struts 1 1.x through 1.3.10 mishandles multithreaded access to an ActionForm instance, which allows remote attackers to execute arbitrary code or cause a denial of service (unexpected memory access) via a multipart request, a related issue to CVE-2015-0899. _____________________________________________________________________ XXE (XML External Entity Injection) in Jira Service Management Data Center and Server Published Export Type: Public Security Vulnerability Resolution: Fixed Priority: High Fix Version/s: 11.2.1, 11.3.0 Affects Version/s: 11.2.0 Component/s: None Labels: advisory advisory-to-release dont-import security CVSS Score: 7.5 CVSS Severity: High CVE ID: CVE-2023-49735 Vulnerability Source: Atlassian (Internal) CVSSv3 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Vulnerability Classes: XXE (XML External Entity Injection) Affected Product(s): Jira Service Management Data Center, Jira Service Management Server This High severity XXE (XML External Entity Injection) vulnerability was introduced in version 11.2.0 of Jira Service Management Data Center and Server. This XXE (XML External Entity Injection) vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N allows an unauthenticated attacker to access local and remote content which has high impact to confidentiality, no impact to integrity, no impact to availability, and requires no user interaction. Atlassian recommends that Jira Service Management Data Center and Server customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions: Jira Service Management Data Center and Server 11.2: Upgrade to a release greater than or equal to 11.2.1 See the release notes. You can download the latest version of Jira Service Management Data Center and Server from the download center. The National Vulnerability Database provides the following description for this vulnerability: ** UNSUPPORTED WHEN ASSIGNED ** The value set as the DefaultLocaleResolver.LOCALE_KEY attribute on the session was not validated while resolving XML definition files, leading to possible path traversal and eventually SSRF/XXE when passing user-controlled data to this key. Passing user-controlled data to this key may be relatively common, as it was also used like that to set the language in the 'tiles-test' application shipped with Tiles. This issue affects Apache Tiles from version 2 onwards. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. _____________________________________________________________________ Improper Authorization org.springframework.security:spring-security-core Dependency in Jira Service Management Data Center and Server Published Export Type: Public Security Vulnerability Resolution: Fixed Priority: High Fix Version/s: 11.2.0 Affects Version/s: 11.0.1, 11.1.1 Component/s: None Labels: advisory advisory-to-release dont-import security CVSS Score: 7.5 CVSS Severity: High CVE ID: CVE-2025-41248 Vulnerability Source: Atlassian (Internal) CVSSv3 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Vulnerability Classes: Improper Authorization Affected Product(s): Jira Service Management Data Center, Jira Service Management Server This High severity Improper Authorization vulnerability was introduced in versions 11.01.1 and 11.1.1 of Jira Service Management Data Center and Server. This vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N allows an unauthenticated attacker to expose assets in your environment susceptible to exploitation which has high impact to confidentiality, no impact to integrity, no impact to availability, and requires no user interaction. Atlassian recommends that Jira Service Management Data Center and Server customers upgrade to the latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions: Jira Service Management Data Center and Server 11.0: Upgrade to a release greater than or equal to 11.2.0 See the release notes. You can download the latest version of Jira Service Management Data Center and Server from the download center. The National Vulnerability Database provides the following description for this vulnerability: The Spring Security annotation detection mechanism may not correctly resolve annotations on methods within type hierarchies with a parameterized super type with unbounded generics. This can be an issue when using @PreAuthorize and other method security annotations, resulting in an authorization bypass. Your application may be affected by this if you are using Spring Security's @EnableMethodSecurity feature. You are not affected by this if you are not using @EnableMethodSecurity or if you do not use security annotations on methods in generic superclasses or generic interfaces. This CVE is published in conjunction with CVE-2025-41249 https://spring.io/security/cve-2025-41249. _____________________________________________________________________ DoS (Denial of Service) minimatch Dependency in Jira Service Management Data Center and Server Published Export Type: Public Security Vulnerability Resolution: Fixed Priority: High Fix Version/s: 10.3.14 Affects Version/s: 10.3.13 Component/s: None Labels: advisory advisory-to-release dont-import security CVSS Score: 7.5 CVSS Severity: High CVE ID: CVE-2022-3517 Vulnerability Source: Atlassian (Internal) CVSSv3 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Vulnerability Classes: DoS (Denial of Service) Affected Product(s): Jira Service Management Data Center, Jira Service Management Server This High severity DoS (Denial of Service) vulnerability known as CVE-2022-3517 was introduced in 10.3.13 of Jira Service Management Data Center and Server. This vulnerability with a CVSS Score of 7.5 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H allows an unauthenticated attacker to take actions which have no impact to confidentiality, no impact to integrity, high impact to availability, and requires no user interaction. Atlassian recommends that Jira Service Management Data Center and Server customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions: Jira Service Management Data Center and Server 10.3: Upgrade to a release greater than or equal to 10.3.14 See the release notes. You can download the latest version of Jira Service Management Data Center and Server from the download center. The National Vulnerability Database provides the following description for this vulnerability: A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service. _____________________________________________________________________ DoS (Denial of Service) axios Dependency in Jira Service Management Data Center and Server Published Export Type: Public Security Vulnerability Resolution: Fixed Priority: High Fix Version/s: 10.3.13, 11.2.1, 11.3.0 Affects Version/s: 10.3.0, 10.3.1, 10.3.2, 10.3.3, 10.3.4, 10.3.5, 10.3.6, 10.3.7, 10.3.8, 10.3.10, 10.3.11, 11.0.0, 11.1.0, 11.2.0 Component/s: None Labels: advisory advisory-to-release dont-import security CVSS Score: 7.5 CVSS Severity: High CVE ID: CVE-2025-58754 Vulnerability Source: Atlassian (Internal) CVSSv3 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Vulnerability Classes: DoS (Denial of Service) Affected Product(s): Jira Service Management Data Center, Jira Service Management Server This High severity DoS (Denial of Service) vulnerability known as CVE-2025-58754 was introduced in 10.3.0, and 11.0.0 of Jira Service Management Data Center and Server. This vulnerability with a CVSS Score of 7.5 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H allows an unauthenticated attacker to take actions which have no impact to confidentiality, no impact to integrity, high impact to availability, and requires no user interaction. Atlassian recommends that Jira Service Management Data Center and Server customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions: Jira Service Management Data Center and Server 10.3: Upgrade to a release greater than or equal to 10.3.13 Jira Service Management Data Center and Server 11.2: Upgrade to a release greater than or equal to 11.2.1 See the release notes. You can download the latest version of Jira Service Management Data Center and Server from the download center. The National Vulnerability Database provides the following description for this vulnerability: Axios is a promise based HTTP client for the browser and Node.js. When Axios prior to versions 0.30.2 and 1.12.0 runs on Node.js and is given a URL with the `data:` scheme, it does not perform HTTP. Instead, its Node http adapter decodes the entire payload into memory (`Buffer`/`Blob`) and returns a synthetic 200 response. This path ignores `maxContentLength` / `maxBodyLength` (which only protect HTTP responses), so an attacker can supply a very large `data:` URI and cause the process to allocate unbounded memory and crash (DoS), even if the caller requested `responseType: 'stream'`. Versions 0.30.2 and 1.12.0 contain a patch for the issue. _____________________________________________________________________ Prototype Pollution loadash.pick Dependency Vulnerability in Jira Service Management Data Center and Server Published Export Type: Public Security Vulnerability Resolution: Fixed Priority: High Fix Version/s: 10.3.12, 11.1.0 Affects Version/s: 10.3.0, 10.3.1, 10.3.2, 10.3.3, 10.3.4, 10.3.5, 10.3.6, 10.3.7, 10.3.8, 10.3.9, 10.3.10, 10.3.11, 11.0.0, 11.0.1 Component/s: None Labels: advisory advisory-to-release dont-import security CVSS Score: 7.4 CVSS Severity: High CVE ID: CVE-2020-8203 Vulnerability Source: Atlassian (Internal) CVSSv3 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H Vulnerability Classes: Prototype Pollution Affected Product(s): Jira Service Management Data Center, Jira Service Management Server This High severity Prototype Pollution vulnerability known as CVE-2020-8203 was introduced in 10.3.0 of Jira Service Management Data Center and Server. This vulnerability with a CVSS Score of 7.4 and a CVSS Vector of CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H allows an unauthenticated attacker to take actions which have no impact to confidentiality, high impact to integrity, high impact to availability, and requires no user interaction. Atlassian recommends that Jira Service Management Data Center and Server customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions: Jira Service Management Data Center and Server 10.3: Upgrade to a release greater than or equal to 10.3.12 Jira Service Management Data Center and Server 11.1: Upgrade to a release greater than or equal to 11.1.0 See the release notes. You can download the latest version of Jira Service Management Data Center and Server from the download center. The National Vulnerability Database provides the following description for this vulnerability: Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20. ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================